Support for HTTP Strict Transport Security (HSTS) in Fisheye/Crucible

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Runtime platform
    • None

      Issue Summary

      Provide support for HTTP Strict Transport Security (HSTS) policy mechanism in Fisheye/Crucible as implemented from Bitbucket 8.9. HSTS helps reduce the chances of users accidentally connecting to Fisheye/Crucible over non-secure HTTP connections and prevents man-in-the-middle attacks.

      By default, HSTS max-age is set at 2000 in Fisheye/Crucible.

      Workaround

      1. Create a file byteman_rule.btm on the server hosting Fisheye/Crucible.
      2. Add the content below to the file: 
        # This is for setting the HSTS max age to the recommended 31536000 in FECRU
RULE setStsMaxAge
CLASS com.cenqua.fisheye.web.WebServer
METHOD addSSLListener
AT EXIT
IF true
DO $src.setStsMaxAge(31536000);
org.slf4j.LoggerFactory.getLogger("Byteman").info("HSTS max age set successfully");
ENDRULE
      3. Set the following environment variables

        If Fisheye/Crucible is installed on a Linux/MacOS you would need to follow these steps to set the environmental variables:

        // Enable Byteman
export FISHEYE_LOAD_BYTEMAN=1
// Specify the path to the byteman rule file
export FISHEYE_BYTEMAN_SCRIPT=</path/to/byteman rule file>

        If Fisheye/Crucible is installed as a Windows Service, you would need to follow these steps to set the environmental variables:

        • Stop Fisheye/Crucible Service.
        • Go to <Fisheye installation directory>\bin from the CMD prompt.
        • Run in CMD: service.bat manage
        • Switch to Java tab and append to the java options: 
          -javaagent:<Fisheye installation directory>\tools\byteman\lib\byteman.jar=listener:true,script:<\path\to\byteman rule file>\byteman_rule.btm
        • Apply the changes and close the settings.
      4. Restart Fisheye/Crucible
      5. From the command line on the server, run the following command to load the Byteman rule 
        // Linux
cd <Fisheye installation directory>/tools/byteman
./load-rules.sh </path/to/byteman rule file>/byteman_rule.btm 
// Windows
cd <Fisheye installation directory>\tools\byteman
load-rules.bat <\path\to\byteman rule file>\byteman_rule.btm
      6. Restart Fisheye/Crucible. The Strict-Transport-Security max-age would be set at 31536000.

            Assignee:
            Unassigned
            Reporter:
            Andrew Bimba (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: