How secure is Confluence?

My company wants to use Confluence. And we want to add some confidential documents in it. Is it safe to do so?


Danyal Iqbal Community Champion Aug 03, 2018

Confluence does not have any "known" security bugs but that does not mean every confluence installation is inpenetrable. A vigilant adminsitrator and a decent security framework ensures security, not confluence.

Considering HTTPS is the industry standard for any production grade instance, i assume that you mean "how difficult would it be for a confluence user A to bypass the permission scheme and access your confidential documents?" .

-This is unlikely to happen.

Confluence is a very configurable product. You can implement any level of security ranging from Hardware security dongles to signin to anonymous access for confluence pages.

Study the IT security standard in your industry and take your pick. Confluence should be able to work with your chosen security standard.

Jonathan Smith Community Champion Aug 03, 2018

Hi @Charitha Veeragandham,

  Your content is only as safe as how you grant access to Confluence, secure your spaces, and restrict pages.

Our company locks down anything compensation related, so I would consider the application pretty safe if you know what you are doing.

Example: If a parent page has view access for only a certain group, then no one else will be able to see that parent page or the pages underneath it.

Check out the following permissions documentation from Atlassian:

Note: If your company loves to hold onto their data, check out getting Confluence Server. If housing the data is not a concern, then check out Confluence Cloud because then Atlassian can be your 'Sys admin'.

Hope this helps!

Jonathan Smith Community Champion Aug 03, 2018

Note: Some companies feel "safer" if the application is behind their own firewall. If this is your case, then Confluence Server would be a good option.

Davin Studer Community Champion Aug 03, 2018

Other things to consider would be that you are only as secure as your user's security competency. In any organization these days your security folks should be educating users on how to spot phishing and social engineering attacks. Also, don't let your users off with weak passwords. Make them make it strong and don't bow to the upper management folks who complain because it is not friendly enough now. If you really want to take it to the next level require two factor authentication for all your users. That step alone takes your risk way down as the attacker would not only need the user's password but also their second factor. Google recently announced that last year they did not have a single case of an employee's credentials being used successfully in an attack because they require two factor authentication company-wide. There are marketplace add-ons that provide two factor authentication for the self hosted Confluence and the Cloud offering offers it as well.

Beyond user controls it is important to fully understand how to setup Space permissions to lock down the content that is sensitive. You could very easily open it up for anonymous access or add in users that should not have access if you are not making sure to use the principal of least privileges.

SSL is a must. And make sure that it isn't just turned on as an option. If the user tries to access the site over http make sure they get redirected to https.

If you trust your IT folks and have confidence in their security practices (firewall rules, anti-virus, log monitoring, etc) I personally think having your data on premises is better. I know the trend these days is throw everything into the cloud and the their people manage security. "After all they are better able to handle that and it's cheaper." Except that I see stories every day about BIG companies getting breached that have folks dedicated to security and yet they still get hacked. And I would argue strenuously that it is indeed cheaper. I've not seen a cloud hosted solution yet that I believe is cheaper than having competent local IT folks. Not only that cloud offerings are a big target these days simply because there is LOTS of data there to get. "Lots of data" = "lots of reward" for them. Attackers will typically go after the easy, high-profile targets first. If you maintain a low profile you mitigate some risk there. Remember, the tallest blade of grass is the first to get cut.

Anyway, those are my thoughts. Confluence certainly can be a secure product but you have to make it such. It doesn't just come secure and risk free ... no product does.


Log in or Sign up to comment
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

1,349 views 2 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you