Configuring the Allowlist
Confluence administrators can choose to allow incoming and outgoing connections and content from specified sources for use in the:
- RSS Feed Macro
- HTML Include macro (disabled by default)
- Shared Links Blueprint
- Widget Connector Macro
by adding URLs to the allowlist.
Confluence will display an error if content has been added that is not from an allowed source, and prompt the user to add the URL to the allowlist.
Application links are automatically added to the allowlist. You don't need to manually add them.
Add allowed URLs to the allowlist
If you’re already familiar with the options in the steps below, use the steps to add a URL to the allowlist. The options are explained further down the page if you need more information.
In particular, make sure you understand the impact of the Allow anonymous users option. This option allows unauthenticated users. Allowing unauthenticated users will enable anonymous access to the URL even if your site has disabled the Global Anonymous site access permission.
To add a URL to the allowlist:
- From Administration menu
, select General Configuration. - In the sidebar, select Allowlist.
- Enter the URL or expression you want to allow.
- Select the Type of expression (see below for examples of the types available).
- Select Allow Incoming if you need to allow CORS requests (see below).
- Select Allow anonymous users if you need to allow unauthenticated users.
- Select Add.
Your URL or expression appears in the allowlist.
To test that your allowlisted URL is working as expected you can enter a URL in the Test a URL field. Icons will indicate whether incoming and / or outgoing traffic is allowed for that URL.
Expression types
When adding a URL to the allowlist, you can choose from a number of expression types.
When deciding the best expression type to use, aim for a more restrictive URL, rather than less restrictive, to best protect your site.
| Type | Description | Example |
|---|---|---|
| Domain name | Allows all URLs from the specified domain. | https://www.example.com |
| Exact match | Allows only the specified URL. | https://www.example.com/thispage |
| Wildcard Expression | Allows all matching URLs. Use the wildcard * character to replace one or more characters. | https://*example.com |
| Regular Expression | Allows all URLs matching the regular expression. | http(s)?://www\.example\.com |
Allow Incoming
Allow Incoming enables CORS requests from the specified origin. The URL must match the format scheme://host[:port], with no trailing slashes (:port is optional). So http://example.com/ would not allow CORS requests from the domain example.com.
Allow anonymous users
You can use the Allow anonymous users option to allow outbound requests on behalf of unauthenticated users. This option allows unauthenticated users. Allowing unauthenticated users will enable anonymous access to the URL even if your site has disabled the Global Anonymous site access permission.
This isn't recommended for URLs that may contain private data, such as URLs from application links. If you do need to provide anonymous access, consider using an exact URL or wildcard based rule to limit access to just the required resources.
Change default settings for application links
When you create an application link, the URL is automatically added to the Confluence allowlist. By default, outbound requests from these URLs is only allowed for authenticated users.
To change the default behaviour for all application links, including new application links:
- Go to Administration menu , then General Configuration. > Allowlist.
- Select Configure Settings.
- Select either:
- Allow all users to allow outbound requests for all users, including anonymous users
- Allow authenticated users to deny outbound requests for anonymous users
- Restrict by default to deny outbound requests for all users (the applink will not be added to the allowlist at all)
- Save your changes.
All existing application links, and any new application links added to the allowlist, will use this setting.
Disable the allowlist
The allowlist is enabled by default. You can choose to disable the allowlist however this will allow all URLs, including malicious content.
We strongly discourage you from disabling the allowlist, as it will leave you vulnerable to Server-Side Request Forgery (SSRF) attacks, such as the one disclosed in CONFSERVER-61399 - Getting issue details... STATUS .
To disable the allowlist:
- Go to Administration menu , then General Configuration. > Allowlist.
- Choose Turn off allowlist.
- Choose Confirm.
All URLs will now be allowed. This is not recommended.