Configuring the Whitelist
Confluence administrators can choose to allow incoming and outgoing connections and content from specified sources for use in the:
- RSS Feed Macro
- HTML Include macro (disabled by default)
- gadgets
- Shared Links Blueprint
by adding URLs to the whitelist.
Confluence will display an error if content has been added that is not from an allowed source, and prompt the user to add the URL to the whitelist.
Application links are automatically added to the whitelist. You don't need to manually add them.
Add allowed URLs to the whitelist
To add a URL to the whitelist:
- Go to
> General Configuration > Whitelist. - Enter the URL or expression you want to allow.
- Choose the Type of expression (see below for examples of the types available).
- Choose Allow Incoming if you need to allow CORS requests (see below).
- Choose Add.
Your URL or expression appears in the whitelist.
To test that your whitelisted URL is working as expected you can enter a URL in the Test a URL field. Icons will indicate whether incoming and / or outgoing traffic is allowed for that URL.
Expression Types
When adding a URL to the whitelist, you can choose from a number of expression types.
| Type | Description | Example |
|---|---|---|
| Domain name | Allows all URLs from the specified domain. | https://www.example.com |
| Exact match | Allows only the specified URL. | https://www.example.com/thispage |
| Wildcard Expression | Allows all matching URLs. Use the wildcard * character to replace one or more characters. | https://*example.com |
| Regular Expression | Allows all URLs matching the regular expression. | http(s)?://www\.example\.com |
Allow Incoming
Allow Incoming enables CORS requests from the specified origin. The URL must match the format scheme://host[:port], with no trailing slashes (:port is optional). So http://example.com/ would not allow CORS requests from the domain example.com.
Disabling the whitelist
The allowlist is enabled by default. You can choose to disable the allowlist however this will allow all URLs, including malicious content.
We strongly discourage you from disabling the allowlist, as it will leave you vulnerable to Server-Side Request Forgery (SSRF) attacks, such as the one disclosed in
CONFSERVER-61399
Published
.
To disable the allowlist:
- Choose the cog icon , then choose General Configuration
- Choose Whitelist.
- Choose Turn off whitelist.
- Choose Confirm.
All URLs will now be allowed. We strongly recommend not disabling the whitelist.