Event Listener module
Job module
Language module
Macro Module
Servlet Filter module
Servlet module
Theme module
Web UI modules
Workflow module

How to exclude Servlet URLs from Confluence’s default security headers


Confluence 9.0 and later

Starting from version 9.0, Confluence adds default security headers to improve security. There may be some cases where you wish to prevent some Confluence from adding these default security headers to some URLs. In this case, add init-param: securityHeadersExcluded to the servlet module.

Confluence adds the following default security headers to a response:

  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Content-Security-Policy: frame-ancestors 'self' with urls of configured application links or policy defined in http.header.security.content.security.policy.value system property.

Confluence will not add any default security headers to the URLs matched by your servlet if you add the parameter init-param with the name securityHeadersExcluded and a value of true.

<atlassian-plugin key="optOutSecurityHeadersExample" name="Opt Out Security Headers Examples" plugins-version="2">
        <vendor name="${project.organization.name}" url="${project.organization.url}" />

    <servlet key="optOutSecurityHeadersServlet" name="Opt Out Security Headers Servlet"
        <description>Servlet whose matched urls will be opted out from adding default security headers</description>

Rate this page: