When using server.require-ssl=true to trigger HTTP->HTTPS redirects, the following error is logged during startup:

2018-04-24 09:35:42,741 ERROR [localhost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] For security constraints with URL pattern [/status] only the HTTP methods [GET] are covered. All other methods are uncovered.

This "error" is completely harmless. The setup it's describing is present by design. The /status endpoint is often used as a health check URL for load balancers and proxies, which often consider a redirect to be an "unhealthy" response. Since the /status endpoint doesn't return anything "sensitive" about the instance (an example response is below), even with server.require-ssl=true the system allows /status to be accessed via plain HTTP. All HTTP methods on all other URLs will redirect from HTTP to HTTPS. Prior to Bitbucket Server 5.8 /status only allowed GET requests. 5.8 added support for HEAD and OPTIONS requests, which are also intentionally available via plain HTTP.

To avoid unnecessary concern, security constraints should be explicitly configured for all HTTP methods on /status. Otherwise the error gives the appearance that security constraints haven't been configured correctly.

Example /status response:

{"state":"RUNNING"}