Configuring the Pages for Bitbucket Server to serve via an external domain allows hosting arbitrary Javascript and CSS without the risk of XSS vulnerabilities. When pages are served via another domain, the browser same-origin policy ensures that no Bitbucket session information is available in malicious javascript.

Effects of enabling serving via an external domain

  • (warning) All pages served are available publicly, since Bitbucket authentication is not available.

  • Javascript and CSS sanitization is turned off, since it is not required.

  • Attempting to access content at the old URL will result in a redirect to the new location at the external domain.

How to enable serving via external domain

Reminder: When Pages Domain is enabled all repository content is available to anonymous users

An external domain is enabled by specifying a “Pages Domain” on the global “Pages configuration” page available to administrators:

To turn off the external domain configuration, simply clear the field and save.

Configuring a reverse proxy

The external domain pages domain must be configured to re-direct to Bitbucket using a reverse proxy. For some background on configuring a reverse proxy: reference 1, reference 2.

Under the hood the plugin checks X-Forwarded-Host header to determine if request made through pages domain.

Apache example configuration:

Here is example of virtual host configuration for the Apache http server:

<VirtualHost *:80>
    ServerName bitbucket-pages.local
    ProxyRequests Off
    ProxyVia Off
    <Proxy *>
         Require all granted
    ProxyPass /pages http://localhost:7990/bitbucket/pages
    ProxyPassReverse /pages http://localhost:7990/bitbucket/pages

Nginx example configuration:

worker_processes  1;

events {
    worker_connections 1024;

http {
    server {
        listen 8080;
        server_name bitbucket-pages.local;

        location /pages/ {
            proxy_pass http://localhost:7990/bitbucket/pages/;
            proxy_set_header X-Forwarded-Host $host;