Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-43726

JIRA provides many information to anonymous users

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • UIS:
      0
    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      In addition I already found this issue: https://jira.atlassian.com/browse/JRA-20505 but this was only for JIRA and the regarding footer.

      Background
      In general the full stack of Atlassian products is providing many meta information to anonymous users. That does not only affects the footer which can be adjusted manually for each product (See end-user-agreement, 6.4 Attribution) but also the information within html headers.

      Providing those information even to anonymous users on any login mask could be abused to identify security flaw. So if we just remove the version out of the footer, the page it self still contains any needed information, e.g.:

      <meta name="application-name" content="JIRA" data-name="jira" data-version="6.4.1">

      Also all manuell changes are not fully prove for upcoming update and increase therefore the impact of maintenance. In short: Editing templates is just quick and dirty and could not be the best practice.

      I suggest to give end users (in administration role) the opportunity hide all internal information for not logged in users. Such a system should only provide the login mask and in addition to the EUA 6.4 the "powered by Atlassian" term.

      Benefit and Business value
      Each product become more secure and more resistant to potential attacks. In my opinion this is helpful for all of your business customer who needs there Atlassian stack or single product online.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              7844e4e8c2d7 Andreas Morgner (Scandio)
              Votes:
              7 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: