Description
Any Authentication Secrets needed as part of configuring a "Send Web Request" Action have to be stored in a readable Header Key/Value field.
Community Documentation here: https://community.atlassian.com/t5/Jira-articles/Automation-for-Jira-Send-web-request-using-Jira-REST-API/ba-p/1443828
There should be specific "Write Only" fields for inputing authentication secrets so that they can't be retrieved later (even via API).
Currently, any user with access to view/edit Automations can:
- Input arbitrary Authentication Secrets.
- Exfiltrate any existing Authentication Secrets.
- Utilize exfiltrated Secrets in unauthorized external systems.
Partial Workaround:
Disable "Allow project administrators to manage project rules" at https://<yourdomain>.atlassian.net/jira/settings/automation#/config