Hi @Jurij Ivastsuk-Kienbaum You can follow the below best practices to make your Confluence instance secure.

1. If you do not require your Confluence to be accessible publicly and only your company is used it then run the application under your company VPN so that public users should not be able to access the instance.

2, If Confluence is also used by public users then use the WAF solutions like Akamai, Cloudflare, etc to protest your application from the external attackers.

3. Always keep the Secure administrator sessions enable in your site from the Security Configuration so that admins will need to re-authenticate while accessing the admins configuration.

4. Always keep watch on the Atlassian security news for the CVE reported by the Atlassian and mitigating steps need to be taken

https://www.atlassian.com/trust/security/advisories

5. Have your applications running on the latest or closed to latest version so that security improvements added by Atlassian are always intact.

6. If you have internal security team then have them run regular audits against the application from UI and backend server so that there should not be any loophole.

7. Make sure all your lower instances like Stage/Devel/Pre-Prod are running internal to your network and have similar configuration as that of production to aviod any security issues and keep them aligned with your prod version.

8. Have minimum number of admins users in your application based on the size of your organization not more than 5-10 admins per site.

These are some basic but important things to remember to avoid any security issues

Thanks

Sagar

Hi @Jurij Ivastsuk-Kienbaum ,

please take a look to the following article https://confluence.atlassian.com/doc/confluence-security-overview-and-advisories-134526.html

My suggestion is to monitor security advisor.

To be notified by email when new advisories or bulletins are published go to https://my.atlassian.com/email and subscribe to Tech Alerts emails.

Hope this helps,

Fabio