Strict-Transport-Security (HSTS) in ACE


I’d like to check Atlassian plans regarding implementing Connect Security Requirements, namely HSTS, in ACE?

Looks like there is support for HSTS in Atlassian Connect Spring Boot, see HSTS check fail with Connect Security Requirements Tester (CSRT), and I have found atlassian-connect-express-ssl - npm, but trying it, I don’t see any differences with non ssl package.

Note, I’m using Heroku, and HSTS needs to be implemented on app level, see Using HTTP Headers to Secure Your Site | Heroku, but I expect that ACE could do this for all connect apps.

Additionally, I would expect atlassian-connect-express-ssl to force ssl (do redirect to https) for the connect apps automatically.

Could someone let me know if this or something related is going to be?

Thank you.

You can enable HSTS by your own both in Spring Boot and Express.js without need to rely in this matter on either Atlassian Connect for SBoot or ACE. For Express you can use helm.js or any other middleware.

Even though Atlassian enforces HSTS in connect apps I wouldn’t implement HSTS configuration in Atlassian Connect frameworks because responsibility of these tools is to support creating apps which relies on Connect API. The same way I wouldn’t recommend implement handling SSL and certificates in ACE or spring boot.

You may want to add other http headers to your app making it even more secure or just add specific to your app headers. Having some headers configured in your web server, some on the express/spring/tomcat level and some on the atlassian connect level is not the best thing to have.

1 Like