Enhancing Security in CloudBees CI with Customized HTTP Headers

2 minute readKnowledge base

Issue

Securing web applications is crucial, and customizing HTTP headers is a vital part of this process. In Jenkins, served through CloudBees CI, users may desire to customize specific HTTP headers to ensure robust security protocols. Key headers often involved include:

  • HTTP Strict Transport Security (HSTS)

  • Content-Security-Policy

  • X-Permitted-Cross-Domain-Policies

  • Referrer-Policy

  • Clear-Site-Data

  • Cross-Origin-Embedder-Policy

  • Cross-Origin-Opener-Policy

  • Cross-Origin-Resource-Policy

Importance of HSTS Header

While the CloudBees CI environment is typically accessed over HTTPS, the inclusion of the HTTP Strict Transport Security (HSTS) header is essential. It instructs browsers to connect strictly over a secure HTTPS connection, reducing vulnerabilities to certain types of cyberattacks, such as SSL stripping. This header was adopted by IETF in 2010 and is supported by all major browsers, serving as a defense mechanism against attacks where users might otherwise unknowingly connect to an insecure service.

To enable HSTS effectively, configure the following header to ensure the connection remains secure for a specified duration (twelve months is the recommended period):

Strict-Transport-Security: max-age=31536000; includeSubDomains

The includeSubDomains directive is an optional parameter that extends the HSTS policy to all subdomains as well. This ensures that every subdomain of your main domain also enforces HTTPS, providing comprehensive security coverage across your entire domain architecture.

Resolution

To customize HTTP headers in Jenkins or CloudBees CI, CloudBees Support recommends leveraging a reverse proxy such as Nginx or Apache. This method is preferred due to its flexibility, allowing for modifications and accommodating various requirements seamlessly.

For those looking to tailor HTTP headers without employing a reverse proxy, two Jenkins plugins offer limited customization capabilities:

  1. The [HSTS Filter](https://plugins.jenkins.io/hsts-filter-plugin/) plugin, which automates the addition of the HSTS header, prompting browsers to adhere to HTTPS.

  2. The [Extended Security Settings](https://plugins.jenkins.io/extended-security-settings/) plugin, supporting features like disabling password autocomplete and managing X-XSS-Protection headers, although usage of the latter is not widely recommended. Supported configurations enable suppression of headers for unauthorized requests, but note that this solution might be restrictive for complex scenarios.

As indicated in our CloudBees plugin support policies, we have limitations on the support we can provide for these plugins. Since these plugins are contributed by third parties, we cannot guarantee bug fixes or other resolutions.

For more comprehensive security, employing a reverse proxy to manage HTTP header configurations is advised.