How to configuration Content Security Policy(CSP) in JIRA?

Eric Lin January 17, 2022

Hi Team,

 

My Jira always has CSP issue when I use below web to check it.

 - https://observatory.mozilla.org/

Has any solution to resolve CSP issue?

csp_issue.jpg

BR,

Eric

1 answer

1 accepted

1 vote
Answer accepted
Mahesh Shinde
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 17, 2022

Hi Eric,

The best workaround is to use a web-server like Apache, Nginx etc as a reverse proxy and then use the header re-write features of the proxy to add these headers.

Here is the some document which gives details about security headers in Jira.

https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html

 

Please, let us know if you need any other information.

Eric Lin January 18, 2022

Hi Mahesh,

I have referenced the information in the link you provided.

It seems that the relevant settings have been added in JIRA to prevent clickjacking.

So that means I don't need to do any CSP setup for clickjacking, right?

If so, what I don't understand is why the https://observatory.mozilla.org/ always shows that there is something wrong with my CSP?

Mahesh Shinde
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 19, 2022

Hi Eric,

CSPs are usually set at the reverse proxy in front of a webserver.If you are using any webserver before application

CSP recommendations for several proxies, including Apache, are in this third party doc I found:

https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy/

Eric Lin January 26, 2022

Hi Mahesh,

Thanks for your help.

My Jira is use Tomcat.

I have another Header(permissions policy) issue.

I have find some information and know how to resolve.

But I don't know which path and file can doing config.

Suggest an answer

Log in or Sign up to answer