Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
2
-
Description
HTTP OPTIONS Method consistently gets flagged by customer security scanners as a Security concern in bitbucket
As Bitbucket will dynamically configure the Tomcat server based on the details described in bitbucket.properties and does not directly use the web.xml or server.xml. There is currently no method for the Bitbucket server to disable the OPTIONS HTTP method.
One of the recommendations has been to look to block access to this HTTP Option method at the proxy level rather than attempting to modify the Tomcat instance on the Bitbucket server itself. However, for some customers, this is not an option as they don't have load balancers in the environment.
In this case, the way to disable the HTTP OPTIONS method on Bitbucket would really help our customers