Confluence turn off REST API

Dirk Stubbs June 28, 2016

Is it possible to turn off the rest api in Confluence? We recently performed a webscan of Confluence using HP WebInpect and it reported numerous criticals due to the rest api. This could be easily resolved if I can restrict or turn off the rest api.

3 answers

1 vote
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2016

Lot of the default functionality in Confluence uses REST and hence it is not possible to disable it. Maybe you can put something like Apache in the front to prevent calls to certain urls!

Dirk Stubbs June 29, 2016

I thought the REST api was just to integrate other applications with Confluence. Does Confluence itself post to the REST API?

Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 29, 2016

Yes some functionality of the product uses the REST API.

0 votes
MattS
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 30, 2016

False positives are common from most automated security checking tools. Can you say what kind of results were found? Atlassian is most likely aware of the results from their own security checks - they use these tools too

0 votes
Benjamin Weinheimer-Erben (mgm-tp)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2016

The only thing you can disable is the "Remote API (XML-RPC & SOAP)" as described here: https://confluence.atlassian.com/doc/enabling-the-remote-api-150460.html

But it is deprecated from Confluence 5.5 on, so they will turn it of someday anyway.

 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events