How to disable attachment downloads

Hi @Rolf Breuer ,

In Confluence Data Center / Server, there is currently no built‑in fine‑grained permission to make attachments “view‑only” while preventing download / export / print. The permission model is: if a user can view the page, they can technically access (i.e. download) the page’s attachments, so the product does not provide true DRM.

However, in Data Center you can use Space Layout plus custom JS/CSS to “harden” the UI and significantly reduce casual download/export/print by normal users. For example:

• Hide the download button and “Download all” links in the attachment preview

• Hide the “Attachments” entry points and Space Tools for non‑admin users

• Disable right‑click on attachment links and embedded files

• Block printing (printed pages are blank)

A concrete implementation example is described here:

Disable attachments download, export, print and other functions in specific spaces

Please note this is UI hardening only: anyone who can see the content can still use browser DevTools, screenshots, etc. to capture it. In real‑world deployments this is usually combined with stricter permissions and, where necessary, external DRM/DLP systems to improve overall security.

In addition, if you want to disable attachment downloads globally, Atlassian also provides an official approach (e.g. by customizing the DownloadAttachmentAction to intercept download requests at a global level):

How to disable attachment downloads

This has nothing to do with the apps. Whatever you send to the user, it's theirs and they can do whatever they want with it, and they can modify whatever pages or content you send them. That's the nature of browsers.

Once anything makes it to the user's browser, its theirs, you can limit and restrict whatever you want, but its in their browser and they can do whatever they want with it.

So if you're going to "show" the pdf to the user, it's already in the user's hands. They can print it, distribute it in their local shopping centres, sell it to schools, or wipe their hands with it.

You can try to make it harder for them to download it by hiding controls (probably by messing with the pages with some .js), but you will never truly achieve a non-downloadable file. If the file is there, if the user can access it, it's theirs and you'll see someone on the bus reading it too, period.

Hello @Rolf Breuer 

if this is Confluence Data Center, then as far as I remember not natively.

Anyone who can view the page can also download the attached files, and Atlassian’s DC docs state that there is no separate permission just for attachment downloads. 

So if the requirement is “can read page, but cannot download attachment”, that is not something Confluence DC supports out of the box.

There is a KB workaround from Atlassian, but it requires custom file edits and needs to be redone after upgrades, so I would treat that more as a custom workaround than a proper product setting.

@Ollie Guan  provided you already very good advice for that use case.