Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Locking down the JIRA API - ramifications

Taylor Huston
Taylor Huston
Contributor
April 16, 2018

Hi all,

Per the security requirements of the team I am working with, there can't be any kind of external API access. So far the best way to solve this, that I have came up with, is to block that at the Apache Proxy (different VM) level for anything that's an external IP. IE, I have this in my Apache Virtual Host:

<Location "/rest/api/2/" >
    Order Deny,Allow
    Deny from all
    Allow from 10.
</Location>


Initial testing looks good, but are there any ramifications I am not thinking of? Could it potentially break any Add-ons, for example?

Answer
Watch
Like Be the first to like this
2407 views

3 answers

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2018

You will need to allow REST calls to all your users, or dashboards, gadgets and integrations will fail.

However, your security requirements are based on faulty understanding.  The REST API is simply a (slightly less functional) interface on to the web-ui.  There is no point in blocking it because everything you can do with REST can be done by a user with a browser.   REST respects the permissions and security that you set up for UI users.

Blocking REST provides you absolutely no security benefits, it just breaks stuff. 

View More Comments
Taylor Huston
Taylor Huston
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 17, 2018

Ugh wrong account

Like
Taylor Huston
Taylor Huston
Contributor
April 17, 2018

There is currently 2FA SAML in front of JIRA for the web-ui. Using the Rest API with Basic Auth bypasses that and that's a security no-go here. 

Like
Reply
0 votes
Tzu Hau Chai
Tzu Hau Chai
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 17, 2018

Do you have any users that uses JIRA externally? I doubt you can do this unless all your user base only access JIRA internally, as there are rest api calls as well during normal usage.

Reply
0 votes
David Yu
David Yu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2018

I believe sometimes the browser itself will make calls to /rest/api/2. For example, just loading the Rapid Boards I can see a request to /rest/api/2/project. 

Maybe you could inspect the referrer as most browser generated ones will have a value?

I guess this is good preventative measure to prevent users from integrating a cloud service without permission since most will operate via the rest api. Is that the main goal?

View More Comments
Taylor Huston
Taylor Huston
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 17, 2018

Wrong account

Like
Taylor Huston
Taylor Huston
Contributor
April 17, 2018

Yeah, but I THINK that can be avoided with the subnet rules. I am hoping that as long as I allow api calls from localhost, it should be fine. Hoping.

Like
David Yu
David Yu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2018

That won't be enough as the requests will not be coming from localhost. They'll be coming from the end-user.

Somewhat related but you may also be interested in this:

https://community.atlassian.com/t5/Jira-questions/What-s-the-best-way-to-require-login-on-every-page/qaq-p/765834#M248511

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.