Available: | Confluence 9.0 and later |
Starting from version 9.0, Confluence adds default security headers to improve security.
There may be some cases where you wish to prevent some Confluence from adding these default security headers to some URLs.
In this case, add init-param: securityHeadersExcluded to the servlet module.
Confluence adds the following default security headers to a response:
X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self' with urls of configured application links or policy defined in http.header.security.content.security.policy.value system property.Confluence will not add any default security headers to the URLs matched by your servlet if you add the parameter init-param with the name securityHeadersExcluded and a value of true.
1 2<atlassian-plugin key="optOutSecurityHeadersExample" name="Opt Out Security Headers Examples" plugins-version="2"> <plugin-info> <description>${project.description}</description> <version>${project.version}</version> <vendor name="${project.organization.name}" url="${project.organization.url}" /> </plugin-info> <servlet key="optOutSecurityHeadersServlet" name="Opt Out Security Headers Servlet" class="com.atlassian.confluence.plugin.example.optoutsecurityheaders.OptOutSecurityHeadersServlet"> <description>Servlet whose matched urls will be opted out from adding default security headers</description> <url-pattern>/some-paths-to-opt-out<url-pattern> <init-param> <param-name>securityHeadersExcluded</param-name> <param-value>true</param-value> </init-param> </servlet> </atlassian-plugin>
Rate this page: