We have Crowd/Confluence connnector that prevents unauthorized users from accessing the Confluence-rendered pages.
However, anyone (include external remote hosts) can still access directories such as images, includes, and other files. Is there any way to prevent access to these from non-authorized users?
For example, to view content on our Confluence site, you'd need a login to view http://mysite.com. However, you could access images, for example, at http://mysite.com/images/en_GB.gif or raw decorator source files, for example, at http://mysite.com/decorators/admin.vmd.
Does anyone else see this as a security issue?
The images directory in your instance contains a lot of the standardized Atlassian logos and images that we use all around the site that need to be accessible to anonymous viewers. For instance, your site logo on the Confluence login page has your site logo stored in /images/logos, and without anonymous access, the user would just see a broken image link when logging in. All images uploaded to your site by users are behind the /download/attachments resource, which is login protected so long as you don't have the global and space permissions for anonymous users set.
As for the Velocity files, I'm unfortunately a little less knowledgeable about the need for anonymous access to the content. However, if you haven't made any customizations to the files themselves, they should not have any information to worry about. More importantly, the anonymous access to either of these resource locations does not inherntly put you site at risk.
Hi team, I’m Avinoam, a product manager on Confluence Cloud, and today I’m really excited to let the Community know that all customers can now try out the new editing experience and see some of the ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs