Event Listener module
Job module
Language module
Macro Module
Servlet Filter module
Servlet module
Theme module
Web UI modules
Workflow module

How to exclude ServletFilter URLs from Confluence’s default security headers


Confluence 9.0 and later

Starting from version 9.0, Confluence adds default security headers to improve security. There may be some cases where you wish to prevent Confluence from adding these default security headers to some URLs. In this case, add init-param: securityHeadersExcluded to the servlet-filter module.

Confluence adds the following default security headers to a response:

  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Content-Security-Policy: frame-ancestors 'self' with the URLs of configured application links or policies defined in the http.header.security.content.security.policy.value system property.

This option applies only to filters that can use a class to extend javax.servlet.GenericFilter, so that Confluence can get the init parameters from the filter. The code sample below provides an example of such a filter.

package com.atlassian.confluence.plugin.example.optoutsecurityheaders;

import javax.servlet.FilterChain;
import javax.servlet.GenericFilter;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;

public class OptOutSecurityHeadersFilter extends GenericFilter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);

    public void destroy() {


Confluence will not add any default security headers to the URLs matched by your servlet filter if you add the parameter init-param with the name securityHeadersExcluded and a value of true.

<atlassian-plugin key="optOutSecurityHeadersExample" name="Opt Out Security Headers Examples" plugins-version="2">
        <vendor name="${project.organization.name}" url="${project.organization.url}" />

    <servlet-filter name="Opt Out Security Headers Filter" key="optOutSecurityHeadersFilter" 
        class="com.atlassian.confluence.plugin.example.optoutsecurityheaders.OptOutSecurityHeadersFilter" weight="1">
        <description>Filter whose matched urls will be opted out from adding default security headers</description>

Rate this page: