Configure Bamboo to use HttpOnly and secure cookie

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Description

The seraph.bamboo cookie does not use the HttpOnly or secure attributes. This increases the impact from XSS and network based attacks. If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie’s value via an injected script. If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

Recommendation

To have bamboo set the respective cookies with the secure attribute in the configuration, simply configure tomcat as per http://tomcat.apache.org/tomcat-7.0-doc/config/http.html to include the following settings in the <BamboInstall>/conf/server.xml file:

1 secure="true" and scheme="https"

e.g.

1 2 3 4 5 6 7 <Service name="Catalina"> <Connector port="8085" ... scheme="https" secure="true" ... /> </Service>

These options should be configured when Bamboo is configured to run behind a httpd which handles https for Bamboo, with Bamboo running http behind it.

Updated on April 8, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageDescriptionRecommendation

Still need help?

The Atlassian Community is here for you.
Ask the Community