Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-25143

Enable X-FRAME-Options header to implement clickjacking protection

XMLWordPrintable

    • 6.02
    • 4.3
    • 60
    • Severity 3 - Minor
    • 42
    • Hide
      Atlassian Update – 10 November 2017

      Hi everyone!

      I'm happy to announce that clickjacking protection will land in JIRA Server 7.6.

      The following HTTP headers will be set for JIRA responses:

      Header Value
      X-Frame-Options SAMEORIGIN
      Content-Security-Policy frame-ancestors 'self'

      The headers block the content from being embedded in iframes (and similar elements), which might also affect pages that you actually wanted to be displayed this way.

      If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely.

      If you want to know more, check out the release notes and knowledge base article.

       

      Cheers,

      Maciej Rzymski

      JIRA Server Team

       

      Show
      Atlassian Update – 10 November 2017 Hi everyone! I'm happy to announce that clickjacking protection will land in JIRA Server 7.6. The following HTTP headers will be set for JIRA responses: Header Value X-Frame-Options SAMEORIGIN Content-Security-Policy frame-ancestors 'self' The headers block the content from being embedded in iframes (and similar elements), which might also affect pages that you actually wanted to be displayed this way. If you don't like this change, you can create a list of paths to be excluded from this protection, or disable the security headers entirely. If you want to know more, check out the release notes  and knowledge base article .   Cheers, Maciej Rzymski JIRA Server Team  

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTP(S) pages (server config), and test that nothing breaks.

      Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.

      Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.

      Workaround

      Applying an additional header to the Apache HTTP server can mitigate this problem. Specifically using the SAMEORIGIN setting. If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.

      For Apache:

      1. Add this to your httpd.conf file: 
        Header always append X-Frame-Options SAMEORIGIN
      2. Ensure the headers module is enabled, the below is required in httpd.conf, or if using Ubuntu/Debian a2enmod headers will turn it on. 
        LoadModule headers_module modules/mod_headers.so
      3. Restart Apache.

      Note that this is not a panacea for clickjacking. SAMEORIGIN should be safe to use and not provide any negative side-effects.

      SAMEORIGIN will prevent the Issue Collector from loading when embedded in a Confluence page

              mrzymski Maciej Rzymski
              vosipov VitalyA
              Votes:
              35 Vote for this issue
              Watchers:
              81 Start watching this issue

                Created:
                Updated:
                Resolved: