Writing an app for the Atlassian cloud platform? Were you aware you need to meet security requirements for your app? Does this all seem oddly specific for a random blog post? Is it truly a cliche to start a post with a collection of questions? – Probably. I’ll stop now.

In today’s post, I’m going to describe how you can meet (most) of the Atlassian Security Requirements by simply fronting your Atlassian connect app with Cloudflare.

Getting Started

Ensure you have a Cloudflare account setup. If not, ensure you sign-up for a new account: https://dash.cloudflare.com/sign-up

Next, make sure you have your primary domain’s nameservers configured for Cloudflare. Cloudflare has a handy developer guide for this particular situation. If you require a more advanced setup, there are also docs for that too.

Ensuring your app’s subdomain is being proxied

From your site’s Cloudflare Menu, select DNS from the left-hand menu.

Cloudflare DNS Menu

Find your app’s relevant DNS entry, and ensure it is Proxied.

Cloudflare Proxied

Updating Cloudflare SSL/TLS Settings

Now that all the necessary preparations have been checked, we can update a few Cloudflare settings to make your app compliant with the Atlassian SSL/TLS requirements.

First off, let’s navigate to the SSL/TLS menu, then click Edge Certificates from the left-hand menu.

Cloudflare SSL TLS Edge Settings

Enabling HTTP Strict Transport Security (HSTS)

We enable HSTS to meet Requirement #1 of the Atlassian Security Requirements for Cloud Apps.

Under the SSL/TLS -> Edge Certificates Cloudflare menu, find the HTTP Strict Transport Security (HSTS) section by scrolling down.

Click Enable HSTS, carefully read the acknowledgement and then proceed.

Cloudflare Enable HSTS

On the Configure screen, ensure you enable HSTS and for safety set the Max Age to 0 for now. This will ensure you can confirm things are working before setting the HSTS Max Age to be a longer value.

Cloudflare HSTS Settings

Setting Minimum TLS Version

We restrict the TLS version accepted by our app to meet Requirement #1 of the Atlassian Security Requirements for Cloud Apps.

Under the SSL/TLS -> Edge Certificates Cloudflare menu, find the Minimum TLS Version section by scrolling down.

Set the minimum TLS version to TLS 1.2.

Cloudflare Minimum TLS Version

Let’s test our changes

Let’s confirm that everything looks good from an external scanner’s perspective.

We can use Qualys’ SSL Labs tester to see what our app now shows to an external visitor. Navigate over to: https://www.ssllabs.com/ssltest/ and enter your app’s connect descriptor URL.

SSL Labs Scan URL

Once one of the IP addresses finishes being scanned, confirm that only TLS 1.2 and higher protocols are accepted. All lower protocols (eg. TLS 1.1, TLS 1.0, SSL 3) should not be accepted.

SSL Labs TLS Versions Supported

Now, you will need to go and update your HSTS settings to be something with a longer Max Age than 0. You can choose 1 Month if you are concerned about breaking access to your site. You can increase this value over time as your confidence grows.

Cloudflare HSTS Max Age Update

And you’re done!

Wait, what? That was only two minor tweaks. You are correct, but those are two things that are notoriously difficult to setup from application code / server configuration. These are also the primary things Atlassian is automatically scanning for to confirm your app is compliant.

Cloudflare will also ensure your HTTPS certificates never expire, since they manage them. They will also ensure you do not lose control of your domain by sending you email reminders about domain renewal.