Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
2
-
Description
Security team has been reporting on security threat due to absence of Clear-Site-Data header when user logs out of Jira. Details follows:
Problem Statement:
Storing plaintext sensitive data in client side local storage makes the data easily accessible by anyone who gains privileged access to the client system. This bypasses user authentication enforced by the application.
In addition to data leakage in shared client environments, such as a public computer's browser, a cross-site scripting (XSS) flaw allows attackers to easily access sensitive data.
Details:
Configure your application to send the Clear-Site-Data header when the user logs out. Configure the header using the following directives:
"cache": clear all cached files for this origin
"cookies": clear all cookies for the domain (both HTTP and HTTPS)
"storage": clear all locally stored data, including ServiceWorker registrations and appCache data
"executionContexts":
"*": all of the above, including additional future directives
For example, the header shown below clears cookies and Local Storage.
Clear-Site-Data: "cookies", "storage"
The header shown below clears everything and reloads all application contexts:
Clear-Site-Data: "*"
The browser is not a secure storage area. Therefore, it is recommended to clear client-side application data when the user logs out.