Is it possible to turn off the rest api in Confluence? We recently performed a webscan of Confluence using HP WebInpect and it reported numerous criticals due to the rest api. This could be easily resolved if I can restrict or turn off the rest api.
Lot of the default functionality in Confluence uses REST and hence it is not possible to disable it. Maybe you can put something like Apache in the front to prevent calls to certain urls!
I thought the REST api was just to integrate other applications with Confluence. Does Confluence itself post to the REST API?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes some functionality of the product uses the REST API.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
False positives are common from most automated security checking tools. Can you say what kind of results were found? Atlassian is most likely aware of the results from their own security checks - they use these tools too
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The only thing you can disable is the "Remote API (XML-RPC & SOAP)" as described here: https://confluence.atlassian.com/doc/enabling-the-remote-api-150460.html
But it is deprecated from Confluence 5.5 on, so they will turn it of someday anyway.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.