Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-25143

Enable X-FRAME-Options header to implement clickjacking protection

    • 6.02
    • 4.3
    • 60
    • Severity 3 - Minor
    • 42
    • Hide
      Atlassian Update – 10 November 2017

      Hi everyone!

      I'm happy to announce that clickjacking protection will land in JIRA Server 7.6.

      The following HTTP headers will be set for JIRA responses:

      Header Value
      X-Frame-Options SAMEORIGIN
      Content-Security-Policy frame-ancestors 'self'

      The headers block the content from being embedded in iframes (and similar elements), which might also affect pages that you actually wanted to be displayed this way.

      If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely.

      If you want to know more, check out the release notes and knowledge base article.

       

      Cheers,

      Maciej Rzymski

      JIRA Server Team

       

      Show
      Atlassian Update – 10 November 2017 Hi everyone! I'm happy to announce that clickjacking protection will land in JIRA Server 7.6. The following HTTP headers will be set for JIRA responses: Header Value X-Frame-Options SAMEORIGIN Content-Security-Policy frame-ancestors 'self' The headers block the content from being embedded in iframes (and similar elements), which might also affect pages that you actually wanted to be displayed this way. If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely. If you want to know more, check out the release notes  and knowledge base article .   Cheers, Maciej Rzymski JIRA Server Team  

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTP(S) pages (server config), and test that nothing breaks.

      Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.

      Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.

      Workaround

      Applying an additional header to the Apache HTTP server can mitigate this problem. Specifically using the SAMEORIGIN setting. If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.

      For Apache:

      1. Add this to your httpd.conf file:
        Header always append X-Frame-Options SAMEORIGIN
        
      2. Ensure the headers module is enabled, the below is required in httpd.conf, or if using Ubuntu/Debian a2enmod headers will turn it on.
        LoadModule headers_module modules/mod_headers.so
        
      3. Restart Apache.

      Note that this is not a panacea for clickjacking. SAMEORIGIN should be safe to use and not provide any negative side-effects.

      SAMEORIGIN will prevent the Issue Collector from loading when embedded in a Confluence page

            [JRASERVER-25143] Enable X-FRAME-Options header to implement clickjacking protection

            Dawn:

             

            Put a web proxy like nginx and Apache in front of your Jira instance, and force this header.

            nginx: http://nginx.org/en/docs/http/ngx_http_headers_module.html

            apache: https://httpd.apache.org/docs/current/mod/mod_headers.html#header

             

            Too bad this ticket is closed, the issue still exists.

            --Adam Gretzinger

            Adam Gretzinger added a comment - Dawn:   Put a web proxy like nginx and Apache in front of your Jira instance, and force this header. nginx:  http://nginx.org/en/docs/http/ngx_http_headers_module.html apache:  https://httpd.apache.org/docs/current/mod/mod_headers.html#header   Too bad this ticket is closed, the issue still exists. --Adam Gretzinger

            Dawn Fama added a comment -

            We are running Jira 8.6.1 Tomcat v8.5.42 and a recent Fortify scan resulted in 

            Medium - Cross-Frame Scripting

            I tried David Black's suggestion for the web.xml and after restarting Jira I get this error in the browser

            "The origin server did not find a current representation for the target resource or is not willing to disclose that one exists"

            Does anyone know how to correct the vulnerability in version 8.6.1?

             

            Dawn Fama added a comment - We are running Jira 8.6.1 Tomcat v8.5.42 and a recent Fortify scan resulted in  Medium - Cross-Frame Scripting I tried David Black's suggestion for the web.xml and after restarting Jira I get this error in the browser "The origin server did not find a current representation for the target resource or is not willing to disclose that one exists" Does anyone know how to correct the vulnerability in version 8.6.1?  

            PCI DSS requires the following headers now, so it's difficult to run JIRA Server without them if required:

            Maybe a reverse proxy is the only option now.

            William Wynn added a comment - PCI DSS requires the following headers now, so it's difficult to run JIRA Server without them if required: X-Frame-Options X-XSS-Protection - JRASERVER-25145 Content-Security-Policy Strict-Transport-Security - JRASERVER-46150 Maybe a reverse proxy is the only option now.

            I am finding errors and privacy sites on my mobile phone someone.is accessing my information please remove all public debug and spoofing from my device

            Klynne Hurt added a comment - I am finding errors and privacy sites on my mobile phone someone.is accessing my information please remove all public debug and spoofing from my device

            NCATS LAB added a comment - - edited

            #EDIT# Found my error

            NCATS LAB added a comment - - edited #EDIT# Found my error

            hashonboat added a comment -

            We are running JIRA Core 7.3.8 and Tomcat 8.5.6

            I've edited the atlassian-jira/WEB-INF/web.xml file  as follows  (snippet below)

            and have confirmed that David Black's instructions above did in fact work

             

            \\code placeholder
            <filter>
            
            <filter-name>httpHeaderSecurity</filter-name>
            
            <filter-class&gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&gt;
            
            <async-supported>true</async-supported>
            
            <init-param>
            
            <param-name>antiClickJackingEnabled</param-name>
            
            <param-value>true</param-value>
            
            </init-param>
            
            <init-param>
            
            <param-name>antiClickJackingOption</param-name>
            
            <param-value>SAMEORIGIN</param-value>
            
            </init-param>
            
            </filter>
            
             
            
            <!-- =====================================================
            
            THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN
            
            ===================================================== -->
            
            <filter>
            
            <filter-name>JiraLastFilter</filter-name>
            
            <filter-class&gt;com.atlassian.jira.web.filters.JiraLastFilter</filter-class&gt;
            
            </filter>
            
             
            
            <!-- =====================================================
            
            FILTER MAPPINGS FOLLOW :
            
            ===================================================== -->
            
             
            
            <filter-mapping>
            
            <filter-name>httpHeaderSecurity</filter-name>
            
            <url-pattern>/*</url-pattern>
            
            <dispatcher>REQUEST</dispatcher>
            
            </filter-mapping>
            
             
            
            <!-- Special filters that must come at the beginning of the chain because they prevent
            
            all other filters from running. This is to prevent those later filters from doing
            
            lookups in Pico, which could alter the order in which it instantiates components
            
            and thereby trigger a deadlock. -->
            
            <filter-mapping>
            
            <filter-name>JiraImportProgressFilter</filter-name>
            
            <url-pattern>/importprogress</url-pattern>
            
            </filter-mapping>
            

            hashonboat added a comment - We are running JIRA Core 7.3.8 and Tomcat 8.5.6 I've edited the atlassian-jira/WEB-INF/web.xml file  as follows  (snippet below) and have confirmed that David Black's instructions above did in fact work   \\code placeholder <filter> <filter-name>httpHeaderSecurity</filter-name> <filter- class& gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter- class& gt; <async-supported> true </async-supported> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value> true </param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter>   <!-- ===================================================== THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN ===================================================== --> <filter> <filter-name>JiraLastFilter</filter-name> <filter- class& gt;com.atlassian.jira.web.filters.JiraLastFilter</filter- class& gt; </filter>   <!-- ===================================================== FILTER MAPPINGS FOLLOW : ===================================================== -->   <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>   <!-- Special filters that must come at the beginning of the chain because they prevent all other filters from running. This is to prevent those later filters from doing lookups in Pico, which could alter the order in which it instantiates components and thereby trigger a deadlock. --> <filter-mapping> <filter-name>JiraImportProgressFilter</filter-name> <url-pattern>/importprogress</url-pattern> </filter-mapping>

            We are using Apache as a reverse proxy in order to enable HTTPS. We added to the beginning of the vhost.conf file instead of the httpd.conf file:

            header always set x-frame-options "SAMEORIGIN"

            This appears to have mitigated the issue.

            Michael Golla added a comment - We are using Apache as a reverse proxy in order to enable HTTPS. We added to the beginning of the vhost.conf file instead of the httpd.conf file: header always set x-frame-options "SAMEORIGIN" This appears to have mitigated the issue.

            We are a team within the federal department with the user group of 10,000. This issue is one of our major security concerns which is preventing us to open JIRA system access to large user community. We tried the workaround provided in this ticket and it did not resolve the issue. Please prioritize this ticket and let us the know the ETA as early as possible.

            Cecil Soman added a comment - We are a team within the federal department with the user group of 10,000. This issue is one of our major security concerns which is preventing us to open JIRA system access to large user community. We tried the workaround provided in this ticket and it did not resolve the issue. Please prioritize this ticket and let us the know the ETA as early as possible.

            David Black added a comment - - edited

            Using the built in HttpHeaderSecurityFilter it is possible to mitigate this issue in versions of JIRA above 7.1.7 and/or by using a version of Tomcat >= 7.0.55 or Tomcat >= 8.0.23.

            The following instructions will only on work in JIRA 7.1.7 and above or with Tomcat >= 7.0.55 or >= 8.0.23.

            Edit the atlassian-jira/WEB-INF/web.xml file found under your JIRA installation as per the following instructions.

            1. Find the "THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN" comment and add the following above it (above the comment after the previous filter):

                <filter>
                        <filter-name>httpHeaderSecurity</filter-name>
                        <filter-class&gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&gt;
                        <async-supported>true</async-supported>
                        <init-param>
                            <param-name>antiClickJackingEnabled</param-name>
                            <param-value>true</param-value>
                        </init-param>
                        <init-param>
                            <param-name>antiClickJackingOption</param-name>
                            <param-value>SAMEORIGIN</param-value>
                        </init-param>
                </filter>
            

            2. Then shortly below you will find the "FILTER MAPPINGS FOLLOW" comment, add the following below it:

                <filter-mapping>
                    <filter-name>httpHeaderSecurity</filter-name>
                    <url-pattern>/*</url-pattern>
                    <dispatcher>REQUEST</dispatcher>
                </filter-mapping>
            

            3. Save the file.
            4. Restart JIRA.

            David Black added a comment - - edited Using the built in HttpHeaderSecurityFilter it is possible to mitigate this issue in versions of JIRA above 7.1.7 and/or by using a version of Tomcat >= 7.0.55 or Tomcat >= 8.0.23. The following instructions will only on work in JIRA 7.1.7 and above or with Tomcat >= 7.0.55 or >= 8.0.23. Edit the atlassian-jira/WEB-INF/web.xml file found under your JIRA installation as per the following instructions. 1. Find the "THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN" comment and add the following above it (above the comment after the previous filter): <filter> <filter-name>httpHeaderSecurity</filter-name> <filter- class& gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter- class& gt; <async-supported> true </async-supported> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value> true </param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> 2. Then shortly below you will find the "FILTER MAPPINGS FOLLOW" comment, add the following below it: <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> 3. Save the file. 4. Restart JIRA.

            Eric Lin added a comment -

            Hi
            I am use Tomact 8.
            JIRA Version is V7.0.2

            I have add some filter to "Atlassian\JIRA\conf\web.xml" as below
            Then restart jira service and try to login JIRA.
            I found, my jira page is blank and cannot work.
            How to do setting for Enable X-FRAME-Options header.

            <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
            </init-param>
            <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>true</param-value>
            </init-param>
            <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
            </init-param>
            </filter>
            <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            </filter-mapping>

            Eric Lin added a comment - Hi I am use Tomact 8. JIRA Version is V7.0.2 I have add some filter to "Atlassian\JIRA\conf\web.xml" as below Then restart jira service and try to login JIRA. I found, my jira page is blank and cannot work. How to do setting for Enable X-FRAME-Options header. <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

              mrzymski Maciej Rzymski
              vosipov VitalyA
              Affected customers:
              35 This affects my team
              Watchers:
              81 Start watching this issue

                Created:
                Updated:
                Resolved: