Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

How secure is Confluence?

My company wants to use Confluence. And we want to add some confidential documents in it. Is it safe to do so?


Confluence does not have any "known" security bugs but that does not mean every confluence installation is inpenetrable. A vigilant adminsitrator and a decent security framework ensures security, not confluence.

Considering HTTPS is the industry standard for any production grade instance, i assume that you mean "how difficult would it be for a confluence user A to bypass the permission scheme and access your confidential documents?" .

-This is unlikely to happen.

Confluence is a very configurable product. You can implement any level of security ranging from Hardware security dongles to signin to anonymous access for confluence pages.

Study the IT security standard in your industry and take your pick. Confluence should be able to work with your chosen security standard.

Like masykurm likes this

Hi @Charitha Veeragandham,

  Your content is only as safe as how you grant access to Confluence, secure your spaces, and restrict pages.

Our company locks down anything compensation related, so I would consider the application pretty safe if you know what you are doing.

Example: If a parent page has view access for only a certain group, then no one else will be able to see that parent page or the pages underneath it.

Check out the following permissions documentation from Atlassian:

Note: If your company loves to hold onto their data, check out getting Confluence Server. If housing the data is not a concern, then check out Confluence Cloud because then Atlassian can be your 'Sys admin'.

Hope this helps!

Like Charitha Veeragandham likes this

Note: Some companies feel "safer" if the application is behind their own firewall. If this is your case, then Confluence Server would be a good option.

Other things to consider would be that you are only as secure as your user's security competency. In any organization these days your security folks should be educating users on how to spot phishing and social engineering attacks. Also, don't let your users off with weak passwords. Make them make it strong and don't bow to the upper management folks who complain because it is not friendly enough now. If you really want to take it to the next level require two factor authentication for all your users. That step alone takes your risk way down as the attacker would not only need the user's password but also their second factor. Google recently announced that last year they did not have a single case of an employee's credentials being used successfully in an attack because they require two factor authentication company-wide. There are marketplace add-ons that provide two factor authentication for the self hosted Confluence and the Cloud offering offers it as well.

Beyond user controls it is important to fully understand how to setup Space permissions to lock down the content that is sensitive. You could very easily open it up for anonymous access or add in users that should not have access if you are not making sure to use the principal of least privileges.

SSL is a must. And make sure that it isn't just turned on as an option. If the user tries to access the site over http make sure they get redirected to https.

If you trust your IT folks and have confidence in their security practices (firewall rules, anti-virus, log monitoring, etc) I personally think having your data on premises is better. I know the trend these days is throw everything into the cloud and the their people manage security. "After all they are better able to handle that and it's cheaper." Except that I see stories every day about BIG companies getting breached that have folks dedicated to security and yet they still get hacked. And I would argue strenuously that it is indeed cheaper. I've not seen a cloud hosted solution yet that I believe is cheaper than having competent local IT folks. Not only that cloud offerings are a big target these days simply because there is LOTS of data there to get. "Lots of data" = "lots of reward" for them. Attackers will typically go after the easy, high-profile targets first. If you maintain a low profile you mitigate some risk there. Remember, the tallest blade of grass is the first to get cut.

Anyway, those are my thoughts. Confluence certainly can be a secure product but you have to make it such. It doesn't just come secure and risk free ... no product does.

Like Charitha Veeragandham likes this

All the answers here are about how the users/admin of confluence can set permissions within Confluence.  One came close with you feel more secure with sensitive data hosted on your own site.  The real question these days is how is the data/content in Confluence stored from a system hack standpoint.  What restricts access the data/content from a path other than through confluence and also by system users and admins. 

Example.  I am making a  list for our Development Team of endpoints they need to severs and databases they will need to connect to.  I will restrict access to a list of individual Confluence users on a need to access basis no problem. I may break even the Development servers from the production servers.  The production serves have access and store a fair amount of private financial data. So the addresses are at least sensitive. Usernames more so.  Passwords not on your life unless encrypted in an image that is encypted

But these are stored on some server(s) somewhere.  Accessible by some users.

Is there any guide to how it is stored and who has access? Any security rating of your system?

Like # people like this


Log in or Sign up to comment

Atlassian Community Events