Configure certain Confluence pages to never be cached by browser

Some pages in our wiki hosted on Confluence contain very sensitive information. Is there a way to ensure that browsers are told to not cache these pages locally?

For example if someone were to login to Confluence from a public computer, we don't want our data persisting in the local browser cache on that computer.

The ideal solution would be for a per-page setting, however even a wiki-wide setting would be useful.

Thanks

2 answers

1 accepted

1 vote
David Simpson Community Champion May 23, 2012

To remove caching in Apache, check these examples:

http://www.askapache.com/hacking/speed-site-caching-cache-control.html

I'd expect that you'll want to cache images, CSS, JS etc.

You could potentially do this for a single space only using some kind of regexp, but that may be a little tricky.

You'll likely want to enable HTTPS too so that no one can snoop on the data while it's being transfered.

Hi Tony,

that has nothing to do with confluence. You need to enclose the proper HTML command (a meta pragmato "always refresh this page".

Set up a usermacro or a page with the html-code stub and include it in those pages, where you need it. Either on a page or in the theme-configuration, if it should be included with all pages in that space.

For ease of administration and theme-wide application, you might want to make that a tag-dependend usermarcro. This way, you can search for pages with that restriction and each page checks at runtime, wether it should be cached in the client.

For further reading : http://www.htmlgoodies.com/beyond/reference/article.php/3472881/So-You-Dont-Want-To-Cache-Huh.htm

Josh

Hi Josh,

Thanks for the response.

Having read a little more about caching via your link and google, it seems the most reliable way is to modify the HTTP headers of the server, rather than modify the HTML as you suggest (which works in some browser but not all, and is ignored by any proxies, which is why HTTP headers are the recommended solution)

So in this case that would be the Apache server that runs Confluence, and it would affect caching across the entire wiki not just the sensitive pages, but I am happy with that tradeoff for the added security. Do you have any information on how this could be achieved?

It is probably fairly common for sensitive information to be stored in the wiki, and the last place you want passwords/credit card info stored is in the local cache of a browser as that is one of the first places hackers will look. Do you know if there is already a feature request for a per-page setting in Confluence where users can mark a page as containing sensitive info? In fact, it could even suggest marking a page as sensitive if the word "password" is found in the content.

Digressing slightly, but in a similar vain, a password widget would be useful - similar to how Chrome & Firefox display your stored passwords in the preferences, where by default they appear censored with a "show" button along side it.

If these feature requests don't already exist, I will consider adding them. Any comments welcome.

Thanks

Hi Tony,
for the apache cache, see the other answer.

One sidenote about "storing sensitive information", I dont know about anything about the featurerequests, you will have to check the Jira site. For the rest - that depends on the protectionlevel you need. But the central question : would the wiki be a place to store sensitive information at all ?

If so, you will have to harden the plattform and server as well massively unless you want to stand in line with the sonys, ...... (insert long line of hacked servers with stolen creditcarddata etc.) of this world.

Anything from restricted userbase, token-authentication, vpn access aoo the way to terminalserver access. Just as a reminder :)

Abotu the widget - check out the truecrypt project. Might be an approach

Thanks Josch. Yup server is already fully hardened, and the only access to Confluence & Jira is via SSH tunnels, and the disks are fully encrypted.

We have come up with the lazy solution to educate all staff to use the private mode in their browsers whenever they browse the wiki, to avoid any local caching. This is obviously not enforcable, but it is a quick and easy solution until we implement the Apache caching mentioned in the other answer

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

375 views 16 9
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you