Configuring the allowlist
Add allowed URLs to the allowlist
To add a URL to the allowlist:
From the Administration menu, select Overview.
On the left sidebar, under Security, select Allowlist.
Enter the URL or expression you want to allow.
Select the Type of expression (see below for examples of the types available).
Select Add.
Your URL or expression appears in the allowlist.
To test that your allowlisted URL is working as expected, you can enter a URL in the Test a URL field. Icons will indicate whether incoming and/or outgoing traffic is allowed for that URL.
Expression types
When adding a URL to the allowlist, you can choose from a number of expression types.
When deciding the best expression type to use, aim for a more restrictive URL rather than a less restrictive one to best protect your site.
Type | Description | Example |
---|---|---|
Domain name | Allows all URLs from the specified domain. | |
Exact match | Allows only the specified URL. | |
Wildcard Expression | Allows all matching URLs. Use the wildcard * character to replace one or more characters. |
|
Regular Expression | Allows all URLs matching the regular expression. |
|
Change default settings for application links
When you create an application link, the URL is automatically added to the Confluence allowlist. By default, outbound requests from these URLs are only allowed for authenticated users.
To change the default behavior for all application links, including new application links:
From the Administration menu, select Overview.
On the left sidebar, under Security, select Allowlist, and then Configure Settings.
Select either:
Allow all users to allow outbound requests for all users, including anonymous users
Allow authenticated users to deny outbound requests for anonymous users
Restrict by default to deny outbound requests for all users (the applink will not be added to the allowlist at all)
Save your changes.
All existing application links and any new application links added to the allowlist will use this setting.
Disable the allowlist
The allowlist is enabled by default. You can choose to disable the allowlist; however, this will allow all URLs, including malicious content.
We strongly discourage you from disabling the allowlist, as it will leave you vulnerable to Server-Side Request Forgery (SSRF) attacks.
To disable the allowlist:
From the Administration menu, select Overview.
On the left sidebar, under Security, select Allowlist.
Select Turn off allowlist.
Select Confirm.
All URLs will now be allowed. This is not recommended.