HTTP security headers not set in Confluence Apps

Hi all,

we’ve recently been made aware of the fact that our Confluence app’s servlets do not deliver the HTTP security headers that are delivered by default by Confluence (Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection response headers).

These same headers are delivered without a problem on the Jira version of our app.

Does anyone know why this works on Jira and not on Confluence?

PS: UPM has the same problem.
PPS: Tested on the latest enterprise releases of Jira (7.6.9) and Confluence (6.6.9)
PPPS: I have seen https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/ and this seems to be unrelated (setting the described option does not cause these headers to be set)

Hello Tobias,

I found your question as I encountered the same recently at a customer I’m serving.
We are on Jira DC 8.1.2 and Confluence DC 6.14.3 using the SAML SSO Plugins.
Did you find any solutions on this?

Regards,
Christian

They’ve opened a bug report for me with the Confluence team, but it doesn’t look good: https://jira.atlassian.com/browse/CONFSERVER-57471 Feel free to leave a vote, but I wouldn’t hold my breath.

In the meantime, basically you have to configure your reverse proxy to deliver these headers for Confluence on the servlets. We’ve written some documentation for how to implement that for our SAML SSO app: https://wiki.resolution.de/display/SSSO/Hardening+security+with+HTTP+security+headers

1 Like