Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7441

Support for HTTP Strict Transport Security (HSTS) in Fisheye/Crucible

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Runtime platform
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      Provide support for HTTP Strict Transport Security (HSTS) policy mechanism in Fisheye/Crucible as implemented from Bitbucket 8.9. HSTS helps reduce the chances of users accidentally connecting to Fisheye/Crucible over non-secure HTTP connections and prevents man-in-the-middle attacks.

      By default, HSTS max-age is set at 2000 in Fisheye/Crucible.

      Workaround

      1. Create a file byteman_rule.btm on the server hosting Fisheye/Crucible.
      2. Add the content below to the file: 
        # This is for setting the HSTS max age to the recommended 31536000 in FECRU
RULE setStsMaxAge
CLASS com.cenqua.fisheye.web.WebServer
METHOD addSSLListener
AT EXIT
IF true
DO $src.setStsMaxAge(31536000);
org.slf4j.LoggerFactory.getLogger("Byteman").info("HSTS max age set successfully");
ENDRULE
      3. Set the following environment variables

        If Fisheye/Crucible is installed on a Linux/MacOS you would need to follow these steps to set the environmental variables:

        // Enable Byteman
export FISHEYE_LOAD_BYTEMAN=1
// Specify the path to the byteman rule file
export FISHEYE_BYTEMAN_SCRIPT=</path/to/byteman rule file>

        If Fisheye/Crucible is installed as a Windows Service, you would need to follow these steps to set the environmental variables:

        • Stop Fisheye/Crucible Service.
        • Go to <Fisheye installation directory>\bin from the CMD prompt.
        • Run in CMD: service.bat manage
        • Switch to Java tab and append to the java options: 
          -javaagent:<Fisheye installation directory>\tools\byteman\lib\byteman.jar=listener:true,script:<\path\to\byteman rule file>\byteman_rule.btm
        • Apply the changes and close the settings.
      4. Restart Fisheye/Crucible
      5. From the command line on the server, run the following command to load the Byteman rule 
        // Linux
cd <Fisheye installation directory>/tools/byteman
./load-rules.sh </path/to/byteman rule file>/byteman_rule.btm 
// Windows
cd <Fisheye installation directory>\tools\byteman
load-rules.bat <\path\to\byteman rule file>\byteman_rule.btm
      6. Restart Fisheye/Crucible. The Strict-Transport-Security max-age would be set at 31536000.

              Unassigned Unassigned
              abimba@atlassian.com Andrew Bimba
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: