Customizing Jenkins HTTP Headers

Issue

You want to customize the HTTP headers that Jenkins serves to client browsers, either adding or removing certain ones to suit your needs. Examples include:

  • HTTP Strict Transport Security/HSTS
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
  • Clear-Site-Data
  • Cross-Origin-Embedder-Policy
  • Cross-Origin-Opener-Policy
  • Cross-Origin-Resource-Policy
  • X-Hudson
  • X-Jenkins

Environment

Resolution

As a general rule, CloudBees Support recommends that you configure a reverse proxy (such as Nginx or Apache) in front of Jenkins/CloudBees CI if you want to customize any of the HTTP headers that are served to clients. We find that this solution is more flexible than some of the other alternatives, because it allows easy changes and supports a broad range of use cases. Having said that, there are two plugins which provide some limited functionality for customizing the Jenkins application HTTP headers. The first is the HSTS Filter plugin. This adds a response header that signals the client to use HTTPS for all subsequent requests. HSTS is no longer recommended as a best practice by the internet security community, but in some environments it is still required for policy reasons. The second plugin is the Extended Security Settings plugin. This plugin supports disabling password autocomplete, adding the X-XSS-Protection header, and removing certain headers from requests not sent by authorized users. Again, these plugins may be sufficient depending on your requirements, but for anything more complex, we recommend using a reverse proxy and handling this configuration at that level.

Both of the plugins mentioned here are tier 3/community plugins with limited support from CloudBees.

Have more questions?

0 Comments

Please sign in to leave a comment.