How to disable specific http methods in Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The information in this page relates to customizations in Jira. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.

Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.

By default Jira will have all http methods enabled, for security purposes there might be the ask to disable specific ones. How to achieve this?

Solution

The main HTTP methods used by Jira are as follows:

GET, POST, DELETE and PUT.

⚠️ Notice that customisations like this actually fall out of Atlassian Support scope. Also, although Jira doesn't use this methods itself, there can be 3rd party plugins installed in JIRA that may require other methods.

If you wish to implement these types of restrictions in your Jira environment, we would recommend testing them out in a development or test environment first. Also in regards to other methods, as this will allow you to further nail down which methods you can include and exclude safely before going ahead in production. ⚠️

For Tomcat to disable the TRACE method you would need to add the following to your web.xml

1 2 3 4 5 6 7 <security-constraint> <web-resource-collection> <web-resource-name>Restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>TRACE</http-method> </web-resource-collection> </security-constraint>

The web.xml file has 2 locations on the Jira nodes and you should add this on both locations:

  • $JIRA_INSTALL/atlassian-jira/WEB-INF/web.xml - used to configure the individual deployed application (Jira)

  • $JIRA_INSTALL/conf/web.xml - provided by Tomcat to configure globally for the entire web server

The change has to be redone after an upgrade of Jira.

Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community