Extended security settings

2 minute readSecurity

The Extended security settings plugin is used to configure extended security settings for Jenkins. You must download the plugin to enable the following settings.

Disable password autocomplete

This feature is designed to allow overly paranoid security scanners to certify Jenkins. This adds an autocomplete="off" attribute to password inputs on the signup and login pages.

This feature is generally ignored by modern web browsers due to the inherent insecurity of attempting to prevent password managers from working, which encourages weak passwords or bad password management practices, such as using sticky notes. See Choosing Secure Passwords for more details.

Enable X-XSS-Protection header

This feature enables the HTTP header X-XSS-Protection: 1; mode=block to be sent on all requests. Some web browsers use this header as a way to automatically block suspected cross-site scripting attacks. Several web browsers (e.g., Firefox, Edge, and Chrome) do not support this header.

Remove HTTP headers for unauthorized users

This feature adds a configurable list of HTTP header names (case-insensitive) that can be automatically removed from HTTP responses sent to users lacking the Overall/Read permission. This feature is useful for hiding the Jenkins and other software versions present in HTTP headers (i.e. like X-Jenkins). Various security scanning tools recommend hiding version information advertised this way.

There are numerous other ways to fingerprint Jenkins to deduce which version is running even when this feature is enabled.

This feature is only provided for basic HTTP header removal. For more complex header rewrite rules, using a reverse proxy such as Apache with mod_headers is a more complete solution. Use of a reverse proxy in front of Jenkins is generally recommended in order to more easily support HTTPS and allow for additional security hardening through the reverse proxy itself. Many popular reverse proxies and HTTP load balancers support some form of response filtering, so consult the relevant documentation for those products on how to filter HTTP headers.

General information about running Jenkins behind Apache is provided on the Jenkins wiki. To filter out version headers, an Apache config snippet like this can be used:

<IfModule headers>
    Header unset Server
    Header unset X-Jenkins

Apache will subsequently advertise its own Server header, which can be further customized via the ServerTokens directive.