First, I'm not sure you quite understand how the data is leaked...
The referrrer data is in the HTTP request sent by the end user's browser, so it's from the user's PC to the external site, not from Confluence to the external site. So putting a proxy between Confluence & the outside world won't do that. The proxy MAY work as the user's HTTP request is sent via the proxy, which in turn, strips out the REFERRER field.
if it doesn't work for users on a VPN, then it's probably because their HTTP traffic isn't going via the company's proxy. Instead it's going direct via their local connection. I suspect it's a misconfiguration on the local PC that the security team have missed. My guess would be that the user's browser ISN'T routing traffic via the proxy.
Best solution, fix the user's browser to hardwire it to the company proxy
If that isn't possible, I think, IIRC, you can switch the confluence to SSL and the referrer field isn't sent when linking to another NON-Secure site.
or if you can 100% guarantee that all your users on on HTML5 browsers (iei Chrome), then you could maybe write a jquery statement to inject the "ref=noreferrer" attribute but it's not a good solution.
Get security to route the end user's HTTP traffic via the company proxy when on the company VPN, and switch to SSL
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.