[CONFSERVER-81829] HSTS configuration not working in confluence 8.0.2

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 8.2.0, 8.1.1
Affects Version/s: 8.1.0, 8.0.1, 8.0.2
Component/s: Security
Labels:

Support reference count:
2
Symptom Severity:
Severity 2 - Major
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

This is reproducible on Data Center: Yes

Steps to Reproduce

Configure confluence on SSL
Follow KB - how-to-enable-and-configure-http-strict-transport-security-hsts-response-header-on-confluence
Attached web.xml with modifications

Expected Results

Need to see strict transport security header, when accessing the instance

Actual Results

Headers not visible

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available

Important note for the fix

Please read the updated documentation for configuring HSTS response headers.

https://confluence.atlassian.com/confkb/how-to-enable-and-configure-http-strict-transport-security-hsts-response-header-on-confluence-1071813084.html

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

web.xml
173 kB
19/Jan/2023 1:42 PM

follows: VULN-1033847 Failed to load

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Form Name

Rodolfo So added a comment - 30/Jul/2023 3:49 PM

I noticed when the HSTS enabled in 8.2.0, Clickjacking is not working anymore. I've tried to followig these steps below for COnfluence Data Center 8,2.0 and the application always fail. I want to disable the iframe in our Confluence due to vulnerability issue. Please advise.

Server OS: Windows

Confluence DC: 8.2.0

Run confluence via window service.

https://confluence.atlassian.com/confkb/confluence-page-does-not-display-in-an-iframe-827335781.html

Rodolfo So added a comment - 30/Jul/2023 3:49 PM I noticed when the HSTS enabled in 8.2.0, Clickjacking is not working anymore. I've tried to followig these steps below for COnfluence Data Center 8,2.0 and the application always fail. I want to disable the iframe in our Confluence due to vulnerability issue. Please advise. Server OS: Windows Confluence DC: 8.2.0 Run confluence via window service. https://confluence.atlassian.com/confkb/confluence-page-does-not-display-in-an-iframe-827335781.html

Yaroslava Derkach (Inactive) added a comment - 29/Mar/2023 1:05 PM

A fix for this issue is available in Confluence Server and Data Center 8.2.0.
Upgrade now or check out the Release Notes to see what other issues are resolved.

Yaroslava Derkach (Inactive) added a comment - 29/Mar/2023 1:05 PM A fix for this issue is available in Confluence Server and Data Center 8.2.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

Richard Lau added a comment - 06/Mar/2023 4:20 AM

A note for the above has just been added to our documentation. Thank you!

https://confluence.atlassian.com/confkb/how-to-enable-and-configure-http-strict-transport-security-hsts-response-header-on-confluence-1071813084.html

Richard Lau added a comment - 06/Mar/2023 4:20 AM A note for the above has just been added to our documentation. Thank you! https://confluence.atlassian.com/confkb/how-to-enable-and-configure-http-strict-transport-security-hsts-response-header-on-confluence-1071813084.html

Michael B. Gilliam added a comment - 02/Mar/2023 6:29 AM

A note indicating that HSTS is now enabled by default and the previous steps of enabling would actually cause the application to fail would been helpful. Once the modifications to web.xml were removed the application ran successfully with HSTS enabled. Appreciate the response and implementation.

Michael B. Gilliam added a comment - 02/Mar/2023 6:29 AM A note indicating that HSTS is now enabled by default and the previous steps of enabling would actually cause the application to fail would been helpful. Once the modifications to web.xml were removed the application ran successfully with HSTS enabled. Appreciate the response and implementation.

Saran Babu Pannuru (Inactive) added a comment - 01/Mar/2023 11:22 AM

A fix for this issue is available in Confluence Server and Data Center 8.1.1.
Upgrade now or check out the Release Notes to see what other issues are resolved.

Saran Babu Pannuru (Inactive) added a comment - 01/Mar/2023 11:22 AM A fix for this issue is available in Confluence Server and Data Center 8.1.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

Assignee:: Richard Lau

Reporter:: Jetendra Ivaturi (Inactive)

Affected customers:: 2 This affects my team

Watchers:: 8 Start watching this issue

Created:: 19/Jan/2023 9:37 AM

Updated:: 24/Feb/2025 5:00 PM

Resolved:: 01/Mar/2023 11:20 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Important note for the fix

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Rodolfo So added a comment - 30/Jul/2023 3:49 PM

Expand comment: Rodolfo So added a comment - 30/Jul/2023 3:49 PM

Collapse comment: Yaroslava Derkach (Inactive) added a comment - 29/Mar/2023 1:05 PM

Expand comment: Yaroslava Derkach (Inactive) added a comment - 29/Mar/2023 1:05 PM

Collapse comment: Richard Lau added a comment - 06/Mar/2023 4:20 AM

Expand comment: Richard Lau added a comment - 06/Mar/2023 4:20 AM

Collapse comment: Michael B. Gilliam added a comment - 02/Mar/2023 6:29 AM

Expand comment: Michael B. Gilliam added a comment - 02/Mar/2023 6:29 AM

Collapse comment: Saran Babu Pannuru (Inactive) added a comment - 01/Mar/2023 11:22 AM

Expand comment: Saran Babu Pannuru (Inactive) added a comment - 01/Mar/2023 11:22 AM

People

Dates