Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

X-Frame-Options or Content-Security-Policy

Michael Golla
Michael Golla
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 24, 2017

A vulnerability scan showed that the JIRA Web server does not set an X-Frame-Options or Content-Security-Policy 'frame-ancestors' respose header in all content responses.

 

The solution was to return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.

 

This is way over my head. Is there something I can do to address this? I have seen others make adjustments to the web.xml file, but the other suggestions don't seem to apply to JIRA Software Server (v7.3)

Answer
Watch
Like BenP likes this
11612 views

2 answers

1 vote
Michael Golla
Michael Golla
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 27, 2017

Ben, thank you for replying. I ended up finding a solution here:

https://www.keycdn.com/blog/x-frame-options/

View More Comments
Matthew Garrett
Matthew Garrett
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 7, 2017

Can you provide more details? the page you linked mostly refers to Apache, not Tomcat. I'm running into this same finding on our Jira and so far I've found no solution to CSP for tomcat.

Like
NCATS LAB
NCATS LAB
Contributor
November 9, 2017 edited

@Matthew, you may want to watch this ticket:
JRASERVER-25143

Like
Matthew Garrett
Matthew Garrett
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 9, 2017

This is related to https in apache, the issue I'm running into is offering up the Content-Security-Policy in http which is provided by tomcat, and according to everything I've seen so far, CSP is not provided by tomcat.

Like
NCATS LAB
NCATS LAB
Contributor
November 9, 2017

Check out Manuel's comment (7th down). The overall ticket is misleading. It seems that, right now, the best solution is to use Apache in a reverse proxy. JIRA, oobe does not include this, nor does its documentation. Their solution is to use Tomcat connectors for https. The ticket looks like it is addressing existing Apache issues with JIRA, but I think they are trying to either implement it, or harden Tomcat. Not really sure where they are taking it.

Like
Reply
0 votes
BenP
BenP
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 27, 2017

Running into similar issues with JIRA Capture. Prob better to log as support request.

View More Comments
NCATS LAB
NCATS LAB
Contributor
November 9, 2017

you may want to watch this ticket:
JRASERVER-25143

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.