Modify Attachment Security Policy
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Modify the Attachment Security Policy to control how attachments are handled within Jira, by either forcing the download of an attachment or displaying it inline.
Solution
The attachment settings can be modified within the Jira configuration.
Navigate to 'Jira Administration ⚙ -> System'.
Select the 'Edit Settings' button near the top right corner.
Locate the option 'Internet Explorer MIME Sniffing Security Hole Workaround Policy'.
Available Options
Insecure: inline display of attachments
Secure: forced download of attachments for all browsers
Work around Internet Explorer security hole
Attachment viewing security options for cross-site scripting vulnerabilities present in Internet Explorer 7 and earlier. Use the workaround to reduce the risk of attacks to IE users via attachments. Use download-only mode to sacrifice attachment viewing convenience in all browsers and gain ultimate protection against hostile attachments. See JIRA Security Advisory 2008-08-26
⚠️ After modifying the option, you must either clear caches/cookies from the browser, use an incognito or private browser tab, or refresh Jira for the change to take effect.
Was this helpful?