Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13356

Ability to disable HTTP Option Method in Bitbucket

    XMLWordPrintable

Details

    • Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • None
    • Security - Other
    • None
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      HTTP OPTIONS Method consistently gets flagged by customer security scanners as a Security concern in bitbucket

      As Bitbucket will dynamically configure the Tomcat server based on the details described in bitbucket.properties and does not directly use the web.xml or server.xml. There is currently no method for the Bitbucket server to disable the OPTIONS HTTP method.

      One of the recommendations has been to look to block access to this HTTP Option method at the proxy level rather than attempting to modify the Tomcat instance on the Bitbucket server itself. However, for some customers, this is not an option as they don't have load balancers in the environment.

      In this case, the way to disable the HTTP OPTIONS method on Bitbucket would really help our customers

      Attachments

        Activity

          People

            Unassigned Unassigned
            3833708f677e Prashant Mulya
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: