Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
9
-
3
-
Description
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Problem Definition
Currently JIRA seems not to be 100% compatible with the security rule specs defined in OWASP ModSecurity Core Rule Set (CRS).
The rule set is not only used by apache mod_security, but also is used by a big number of content distribution network (CDNs) providers and also by major cloud service providers like Microsoft Azure Application Gateway web application firewall.
Suggested Solution
Need to make JIRA more compatible with the OWASP WAF rule set: https://coreruleset.org/faq/
Why this is important
- Enterprise customers using CDNs and Cloud services such as MS Azure are more likely to enable OWASP WAF rules on their infrastructure, with JIRA not able to be 100% compatible, those rules will prevent many JIRA functionalities from working as expected.
Enforcing WAF rules is very useful for businesses as it makes their infrastructure more robust against attacks.
Attachments
Issue Links
- causes
-
JSWSERVER-21061 Add Field operation fails with OWASP 3.0 core security rule because the request payload is not a json
- Gathering Impact
-
JSWSERVER-21062 Editing workflow from project settings page gets blocked by Microsoft Azure Application Gateway's OWASP 3.0 core security rule
- Gathering Impact
- relates to
-
JRACLOUD-28458 Improve JIRA compatibility with mod_security
- Closed
-
CONFSERVER-74251 Improve Confluence compatibility with OWASP ModSecurity Core Rule Set (CRS)
- Gathering Interest
- is action for
-
PBAC-600 Loading...
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...