Customizing Jenkins HTTP Headers

2 minute readKnowledge base

Issue

You want to customize the HTTP headers that Jenkins serves to client browsers, either adding or removing certain ones to suit your needs. Examples include:

  • HTTP Strict Transport Security/HSTS

  • Content-Security-Policy

  • X-Permitted-Cross-Domain-Policies

  • Referrer-Policy

  • Clear-Site-Data

  • Cross-Origin-Embedder-Policy

  • Cross-Origin-Opener-Policy

  • Cross-Origin-Resource-Policy

  • X-Hudson

  • X-Jenkins

Resolution

As a general rule, CloudBees Support recommends that you configure a reverse proxy (such as Nginx or Apache) in front of Jenkins/CloudBees CI if you want to customize any of the HTTP headers that are served to clients. We find that this solution is more flexible than some of the other alternatives, because it allows easy changes and supports a broad range of use cases. Having said that, there are two plugins which provide some limited functionality for customizing the Jenkins application HTTP headers. The first is the HSTS Filter plugin. This adds a response header that signals the client to use HTTPS for all subsequent requests. The second plugin is the Extended Security Settings plugin. This plugin supports disabling password autocomplete, adding the X-XSS-Protection header, and removing certain headers from requests not sent by authorized users. Note that use of the X-XSS-Protection header is not recommended as a best practice by the internet security community because it can actually create security issues in some situations. Chrome and Microsoft Edge no longer support this header, and Firefox never had support for it. Again, these plugins may be sufficient depending on your requirements, but for anything more complex, we recommend using a reverse proxy and handling this configuration at that level.

Both of the plugins mentioned here are tier 3/community plugins with limited support from CloudBees.