Last updated Feb 26, 2025

Security requirements for Data Center apps

As a Marketplace Partner, you're responsible for reviewing and updating your Data Center apps to make sure that they are compliant with the following requirements.

TYPE OF REQUIREMENT	SECURITY REQUIREMENT
Authentication & Authorization	1. An application must use correct authentication annotations for its endpoints to ensure that users are authenticated and have the necessary permissions to access specific functionalities and data. Refer to all available authentication annotations.
Sensitive Data Management	2. An application must securely store and handle sensitive information such as passwords, API tokens, OAuth secrets, and encryption keys. They must not be stored or exposed in easily accessible places like packaged (JAR, OBR) files, HTML, JavaScript resources, or within the source code. Atlassian products offers secure storage of secrets: For Jira For Confluence For Bitbucket
Sensitive Data Management	3. An application must not egress credentials belonging to Atlassian user accounts, such as user passwords or Personal Access Tokens to external servers.
Application Security	4. An application must validate and sanitize all untrusted data and treat all user input as unsafe to mitigate injection-related vulnerabilities such as XSS, SQL injection, XXE, etc.
	5. An application must adhere to Atlassian's XSRF mitigation guidelines where applicable to minimize the risk of Cross-Site Request Forgery (XSRF) attacks. Refer to the XSRF mitigation guidelines in Atlassian REST API.
	6. An application must not instantiate its own template engines when the product offers them. Instead, it should use the built-in template engines provided by the product. Applications must avoid invoking application services or beans from templates. They should only expose immutable DTOs (data transfer objects). Atlassian’s SSTI mitigation guidelines must be followed where applicable.
	7. An application must enforce strict controls when establishing network connections to user-supplied URLs and implement URL validations to reduce the risk of SSRF attacks. An application using macro must respect the Confluence allowlist. Refer to our secure macro guidelines.
	8. An application implementing serialization and deserialization must implement security controls to prevent arbitrary deserialization. It is recommended to implement a deserialization wrapper that enforces an allowlist of permissible objects, ensuring only trusted data is processed.
	9. An application must not use versions of third-party libraries and dependencies with known critical or high vulnerabilities. When vulnerabilities in these libraries and dependencies are discovered, an application owner must remediate them as quickly as possible.
Vulnerability Management	10. You must conduct vulnerability scans, including software composition analysis (SCA) and static application security testing (SAST), on every new version release before publishing them on the Marketplace. Learn how to scan your app.
	11. You must know, understand, and follow our Security Bug Fix Policy. Learn about Atlassian’s Security Bug Fix Policy for Marketplace Apps.
	12. You must notify Atlassian of all security incidents via ECOHELP. Learn how to handle a security incident.
	13. You must identify at least one email as a security contact and have them create an account on ecosystem.atlassian.net so that they are notified about vulnerabilities in the app via Atlassian Marketplace Security (AMS) tickets. Learn how to get access to AMS. Please note that an admin can also be listed as a security contact.