Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13356

Ability to disable HTTP Option Method in Bitbucket

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Security - Other
    • None
    • 2
    • 9
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      HTTP OPTIONS Method consistently gets flagged by customer security scanners as a Security concern in bitbucket

      As Bitbucket will dynamically configure the Tomcat server based on the details described in bitbucket.properties and does not directly use the web.xml or server.xml. There is currently no method for the Bitbucket server to disable the OPTIONS HTTP method.

      One of the recommendations has been to look to block access to this HTTP Option method at the proxy level rather than attempting to modify the Tomcat instance on the Bitbucket server itself. However, for some customers, this is not an option as they don't have load balancers in the environment.

      In this case, the way to disable the HTTP OPTIONS method on Bitbucket would really help our customers

              Unassigned Unassigned
              3833708f677e Prashant Mulya
              Votes:
              4 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: