Issue Summary

This is reproducible on Data Center:

Up until Bamboo 9.6, HTTP Strict Transport Security was configurable in Bamboo by following the steps outlined in this KB article:

• How do I enable HSTS and other HTTP Security Headers in Bamboo Data Center

Since Bamboo 10 was released, the various filter configurations in web.xml were moved to internal Java classes, to prevent the application from being exposed to fragile settings and misconfiguration. As a result of that update, HSTS was not ported to internal classes and is not available in the application any longer, creating this regression.

Steps to Reproduce

1. Use Bamboo DC 10
2. Try to configure HSTS as per this KB instructions

Expected Results

• HSTS should work

Actual Results

• HSTS is not enabled
• The application will not start reporting:

  26-Sep-2024 23:44:02.264 SEVERE [main] org.apache.catalina.core.StandardContext.startInternal Error during ServletContainerInitializer processing
  	javax.servlet.ServletException: ServletContext already contains a complete registration for filter security
  		at com.atlassian.bamboo.filter.ServletFilterRegistrar.register(ServletFilterRegistrar.java:62)
  		at com.atlassian.bamboo.filter.ServletFilters.registerAll(ServletFilters.java:113)
  		at com.atlassian.bamboo.servlet.ServletsInitializer.onStartup(ServletsInitializer.java:20)
  ...
  

Workaround

Configure HSTS on your Load Balancer / Reverse Proxy sitting before the Bamboo application.

Some examples below:

• Red Hat Linux: How to enable HTTP Strict Transport Security (HSTS) on Apache HTTPD
• Ubuntu Linux: How to Set Up HTTP Strict Transport Security (HSTS) for Apache on Ubuntu
• NGINX: HTTP Strict Transport Security (HSTS) and NGINX
• AWS CloudFront: AWS: How do I add HTTP security headers to CloudFront responses?
• F5 BIG-IP: K68657325: How to enforce HTTP Strict Transport Security (HSTS) on a virtual server