Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to configuration Content Security Policy(CSP) in JIRA?

Eric Lin
Eric Lin January 17, 2022

Hi Team,

 

My Jira always has CSP issue when I use below web to check it.

 - https://observatory.mozilla.org/

Has any solution to resolve CSP issue?

csp_issue.jpg

BR,

Eric

Answer
Watch
Like Luca Andreatta likes this
3574 views

1 answer

1 accepted

1 vote
Answer accepted
Mahesh Shinde
Mahesh Shinde
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 17, 2022

Hi Eric,

The best workaround is to use a web-server like Apache, Nginx etc as a reverse proxy and then use the header re-write features of the proxy to add these headers.

Here is the some document which gives details about security headers in Jira.

https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html

 

Please, let us know if you need any other information.

View More Comments
Eric Lin
Eric Lin January 18, 2022

Hi Mahesh,

I have referenced the information in the link you provided.

It seems that the relevant settings have been added in JIRA to prevent clickjacking.

So that means I don't need to do any CSP setup for clickjacking, right?

If so, what I don't understand is why the https://observatory.mozilla.org/ always shows that there is something wrong with my CSP?

Like
Mahesh Shinde
Mahesh Shinde
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 19, 2022

Hi Eric,

CSPs are usually set at the reverse proxy in front of a webserver.If you are using any webserver before application

CSP recommendations for several proxies, including Apache, are in this third party doc I found:

https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy/

Like
Eric Lin
Eric Lin January 26, 2022

Hi Mahesh,

Thanks for your help.

My Jira is use Tomcat.

I have another Header(permissions policy) issue.

I have find some information and know how to resolve.

But I don't know which path and file can doing config.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events