Hi Josh,

Thanks for the response.

Having read a little more about caching via your link and google, it seems the most reliable way is to modify the HTTP headers of the server, rather than modify the HTML as you suggest (which works in some browser but not all, and is ignored by any proxies, which is why HTTP headers are the recommended solution)

So in this case that would be the Apache server that runs Confluence, and it would affect caching across the entire wiki not just the sensitive pages, but I am happy with that tradeoff for the added security. Do you have any information on how this could be achieved?

It is probably fairly common for sensitive information to be stored in the wiki, and the last place you want passwords/credit card info stored is in the local cache of a browser as that is one of the first places hackers will look. Do you know if there is already a feature request for a per-page setting in Confluence where users can mark a page as containing sensitive info? In fact, it could even suggest marking a page as sensitive if the word "password" is found in the content.

Digressing slightly, but in a similar vain, a password widget would be useful - similar to how Chrome & Firefox display your stored passwords in the preferences, where by default they appear censored with a "show" button along side it.

If these feature requests don't already exist, I will consider adding them. Any comments welcome.

Thanks

Hi Tony,
for the apache cache, see the other answer.

One sidenote about "storing sensitive information", I dont know about anything about the featurerequests, you will have to check the Jira site. For the rest - that depends on the protectionlevel you need. But the central question : would the wiki be a place to store sensitive information at all ?

If so, you will have to harden the plattform and server as well massively unless you want to stand in line with the sonys, ...... (insert long line of hacked servers with stolen creditcarddata etc.) of this world.

Anything from restricted userbase, token-authentication, vpn access aoo the way to terminalserver access. Just as a reminder :)

Abotu the widget - check out the truecrypt project. Might be an approach

Thanks Josch. Yup server is already fully hardened, and the only access to Confluence & Jira is via SSH tunnels, and the disks are fully encrypted.

We have come up with the lazy solution to educate all staff to use the private mode in their browsers whenever they browse the wiki, to avoid any local caching. This is obviously not enforcable, but it is a quick and easy solution until we implement the Apache caching mentioned in the other answer