Uploaded image for project: 'Jira Cloud (including JIRA Core)'
  1. Jira Cloud (including JIRA Core)
  2. JRACLOUD-25143

Enable X-FRAME-Options header to implement clickjacking protection

    XMLWordPrintable

    Details

    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTP(S) pages (server config), and test that nothing breaks.

      Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.

      Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vosipov Vitaly Osipov [Atlassian]
              • Votes:
                28 Vote for this issue
                Watchers:
                51 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: