How do I enable HSTS and other HTTP Security Headers in Bamboo Data Center

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

If your organization requires HTTP Strict Transport Security (HSTS) and other HTTP security headers, you can implement them directly within Bamboo. Reverse proxies often add these security headers to mitigate certain security risks. For NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. For Apache, consider using the mod_headers module to set response headers.

This article covers the implementation of HSTS and additional security headers directly on the Tomcat server bundled with Bamboo:

  • HTTP Strict Transport Security (HSTS): MITM attacks
  • X-XSS-Protection: Cross-site scripting attacks
  • X-Frame-Options: ClickJacking attacks
  • X-Content-Type-Options: MIME-sniffing vulnerabilities
  • Content-Security-Policy (CSP): Various attacks mitigation Bamboo 10.0.2 
  • Referrer-Policy: Control referrer information Bamboo 10.0.2
  • Permissions-Policy: Control feature usage Bamboo 10.0.2

If you are use Reverse Proxy or Load Balancer with Bamboo, you may observe that some security headers are duplicated in the HTTP responses from Bamboo. This happens because Bamboo provides these same headers in addition to the Network Forwarder. If you prefer to exclusively serve the security headers through a Reverse Proxy or Load Balancer, you should adjust your Bamboo instance to not enable any additional headers provided on this guide, or disable the security headers, or modify the configuration of your Network Forwarder to remove any duplicate headers coming from Bamboo. Please note that removing duplicate headers is a configuration feature that may not be available on every Network product and its implementation could vary depending on the vendor.

In Bamboo 10.0.2, you have the option to disable Bamboo's security headers in a comprehensive or specific manner via System Properties (check details below), while in Bamboo 9.6 and earlier versions, you can choose not to enable all or only certain security headers in web.xml based on your requirements.

Solution

Bamboo 10 and later

Bamboo 10.0.0 and 10.0.1

HSTS and additional Security Headers are not available in Bamboo 10.0.0 and 10.0.1. Please update Bamboo to version 10.0.2 or later to allow HSTS and security headers.

Bamboo 10.0.2 and later

Bamboo 10.0.2 and later supports several HTTP security header options. Some are enabled by default, while others require specific System Properties to be enabled, disabled, or customized. Check the tables below for more information.

General security headers

Security featureHTTP headerDefault valueDirectivesSystem property
Disable HTTP security headers (General)
false
boolean
bamboo.http.header.security.disabled

Disables Anti-Clickjacking protection


false
boolean
bamboo.http.header.security.anti.clickjacking.disabled
Anti-Clickjacking X-Frame-Options
X-Frame-Options: [SAMEORIGIN|DENY]
SAMEORIGIN
SAMEORIGIN, DENY
bamboo.http.header.security.anti.clickjacking.x_frame_options

Content Security Policy (CSP)

Content-Security-Policy: Directives
empty (disabled)
Directives
bamboo.http.header.security.csp

Referrer-Policy

Referrer-Policy: Directives
no-referrer-when-downgrade
Directives
bamboo.http.header.security.referrer.policy

Permissions-Policy

Permissions-Policy: Directives
empty (disabled)
Directives
bamboo.http.header.security.permissions.policy

Disable X-XSS-Protection

X-XSS-Protection: false=[1; mode=block], true=[0]
false
boolean
bamboo.http.header.security.xss.protection.disabled

Disable X-Content-Type-Options

X-Content-Type-Options: nosniff
false
boolean
bamboo.http.header.security.x_content_type_options.nosniff.disabled

HTTP Strict Transport Security (HSTS) settings

Security featureHTTP headerDefault valueDirectivesSystem property

Disable HTTP Strict Transport Security (HSTS)


false
boolean
bamboo.http.header.security.hsts.disabled

HTTP Strict Transport Security (HSTS) Max-Range

Strict-Transport-Security: max-age=31536000
31536000
long
bamboo.http.header.security.hsts.max.age

Enable HTTP Strict Transport Security (HSTS) Preload

Strict-Transport-Security: max-age=31536000; preload
false
boolean
bamboo.http.header.security.hsts.preload.enabled

Enable HTTP Strict Transport Security (HSTS) includeSubdomains

Strict-Transport-Security: max-age=31536000; includeSubdomains
false
boolean
bamboo.http.header.security.hsts.include.subdomains

Bamboo 9.6 and earlier

X-Content-Type-Options

In Bamboo 9.6 and earlier, the X-Content-Type-Options: nosniff HTTP header is enabled by default. If you would like to disable it, please set the bamboo.security.x.content.type.options.nosniff.disable System Properties to true.

HSTS and other security headers

On Bamboo 9.6 and earlier versions, HSTS and other HTTP security headers should be configured at the application level. Specifically, in the <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml file.

Modifications to Tomcat's default conf/web.xml may not be correctly reflected during Bamboo runtime.

In recent Bamboo versions, the httpHeaderSecurity sample code may not be present by default in the application's web.xml file. If so, add the provided code as the first entry to the Filter Definitions or Filter Mappings blocks within the web.xml file.

  1. HTTP Strict Transport Security (HSTS) is only effective over secure HTTPS (SSL) connections, make sure to secure Bamboo using SSL if you need HSTS specifically
  2. Backup your current web.xml located at <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml

  3. Locate the following filter definition:

    security <filter> 
      <filter>
    <filter-name>security</filter-name>
    <filter-class>com.atlassian.seraph.filter.SecurityFilter</filter-class>
  </filter>

  4. Add the following lines to the httpHeaderSecurity <filter> stanza in the web.xml immediately after the security filter:

    httpHeaderSecurity <filter> 
      <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
      <param-name>hstsEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>31536000</param-value>
    </init-param>
    <init-param>
      <param-name>hstsIncludeSubDomains</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>hstsPreload</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>antiClickJackingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
    </init-param>
    <init-param>
      <param-name>blockContentTypeSniffingEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>xssProtectionEnabled</param-name>
      <param-value>true</param-value>
    </init-param>
  </filter>

  5. Find the following filter mapping:

    security <filter-mapping> 
      <filter-mapping>
    <filter-name>security</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>

  6. Add the following lines to the httpHeaderSecurity <filter-mapping> stanza in the web.xml immediately after the security filter mapping:

    httpHeaderSecurity <filter-mapping> 
      <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  7. Restart Bamboo to apply changes.

Validation

To verify the configuration, check for the security headers in the HTTP response. This can be done by capturing HTTP traffic in a file HAR file or using curl. Example:

$ curl -s -k -D- https://<Bamboo_URL>:<https_port> | egrep -i -e 'Strict-Transport-Security|X-Frame-Options|X-Content-Type-Options|X-XSS-Protection|Content-Security-Policy|Referrer-Policy|Permissions-Policy'
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-xss-protection: 1; mode=block

If Bamboo fails to start after modifications, revert to the original web.xml file, or refer to Cannot start Bamboo due to invalid web.xml file.

Last modified on Jan 17, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.