Preparing for Confluence 11.0
This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 11.0.
Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.
Latest milestones
06 May 2026 | 11.0.0-m148 |
Issues with this milestone?
Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.
On this page:
Planned changes
In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone.
This release only supports Data Center licenses. If you have a Server license, check out your options for upgrading.
Custom HTML editing now disabled by default
Status: DONE
To improve security, editing custom HTML is now disabled by default. If you need to enable custom HTML, set the confluence.custom.html.config.enabled system property to true. Only system administrators can enable this feature.
How to configure system properties
Look and Feel layouts editing now disabled by default
Status: DONE
To improve security, configuring Look and Feel customization is now disabled by default. Admins can only view existing layout configurations. To enable look and feel customization, set the confluence.custom.look.and.feel.enabled system property to true. Only system administrators can enable this feature.
How to configure system properties
Enhanced Server-Side Request Forgery (SSRF) protection
Status: DONE
To strengthen protection against Server-Side Request Forgery (SSRF) attacks, we have introduced a default outbound request denylist and extended allowlist enforcement to additional platform components. The denylist automatically blocks outbound connections to sensitive internal endpoints - such as cloud metadata services (AWS, Google Cloud, Azure) and link-local IP addresses - as well as dangerous non-HTTP protocols (e.g., file://, ftp://, ldap://).
Additionally, several platform components that previously bypassed the allowlist - including OAuth2, Gadgets, UPM/Marketplace, Application Links, and Webhooks - now respect the allowlist configuration, ensuring consistent outbound request filtering across the platform.
Why we are making this change
This work is being undertaken to address security vulnerabilities related to SSRF, which could allow attackers to use servers to make unauthorized requests to internal or external resources.
What you need to do
These protections are enabled by default and require no configuration, providing immediate out-of-the-box SSRF protection for Jira, Confluence, and JSM instances. If needed, administrators can disable the denylist via JVM system properties (e.g., -Dssrf.denylist.enabled=false), though this is not recommended for production environments.
To mitigate SSRF attacks, we ask you to configure a proper allowlist, which is an effective defense against SSRF. While a denylist can help protect against some obvious SSRF vulnerabilities, the ultimate solution should be a comprehensive allowlist.
More granular control of the denylist is achievable via the following system properties:
| Property | Default | Purpose |
|---|---|---|
| true | enables or disables the entire denylist |
| true | enables or disables DNS based IP checking |
| true | enables or disables the protocol denylist |
| | enables or disables the loopback/localhost ranges and the private networks |
Restore from Local Drive now disabled by default
Status: DONE
To improve application security, restoring of data from local drives is now disabled by default. To enable restoring of data from local drive , set confluence.restore.from.local.drive.enabled system property to true. Only system administrators can enable this feature via the configuring of system properties.
Removal of support for transformed plugins
Status: IN PROGRESS
We are deleting all transformation code and infrastructure from the platform. This means the runtime transformation process, which previously converted older plugin formats at startup, will no longer exist.
If a user attempts to install or enable a transformed plugin, the UPM will block the action and display a clear error message. Any transformed plugins already installed will be forcibly disabled upon upgrading to a Platform 9-based product version.
To ensure your apps continue to work on Data Center Platform 9, you must migrate them to the "transformerless" format.
We provide a conversion script to help automate this process. For further guidance and best practices, you can refer to our documentation on Spring Java configuration of app components.
Complete removal of OpenSymphony PropertySet
Status: IN PROGRESS
The following APIs that leverage PropertySet were made read-only in Confluence 10.0. They have been permanently removed in Confluence 11.0.
com.atlassian.confluence.user.ConfluenceUserPropertySetFactorycom.atlassian.confluence.user.UserAccessor#getPropertySetcom.atlassian.confluence.core.ConfluencePropertySetManager
Migrating data will no longer be possible in Confluence 11.0 - you must complete migration before you upgrade.
For migration guidance, refer to Preparing for Confluence 10.0 for more information.
Complete removal of Bandana and XStream
Status: IN PROGRESS
After making Bandana read-only in Confluence 10.0, we will remove Bandana entirely in Confluence 11.0. For security reasons, Confluence 11.0 will also no longer bundle the XStream library.
The following packages will be removed and will no longer be available to plugins:
com.atlassian.bandana*com.atlassian.confluence.setup.bandana*com.atlassian.confluence.setup.xstream*com.thoughtworks.xstream*
Direct access to the Bandana database table will no longer be possible in Confluence 11.0.
Apps that currently use Bandana must migrate to alternative storage (for example, Active Objects or SAL Plugin Settings) before upgrading to 11.0.
For more information, go to Preparing for Confluence 10.0.
To make this feasible for vendors, upgrade to Confluence 11.0 will be supported only from the latest Confluence 10.2 release. You must first upgrade to the latest Confluence 10.2 release before upgrading to Confluence 11.0.
Content Security Policy
Status: DONE
In Confluence 11, the content security policy (CSP) for the "script-src" directive has been introduced. The following adjustments apply (plugins must update their code to comply with these changes):
- All direct and indirect uses of eval are blocked.
- All inline scripts are blocked.
- Scripts loaded from other domains must be allowed via the CSP script-src header.
- Script tags with inline code must include a nonce attribute.
- Keyboard shortcuts with operation type execute are no longer supported.
How is script-src CSP enabled
Confluence 11 enables this by default alongside existing policies. Only system administrators can enable this feature via the configuring of system properties.
That said, currently, this feature is disabled by default (as of confluence 11.0.0-m116) but it will be enabled by default in future EAP versions. Set the following system property to true to enable it, or false to disable it:
http.header.security.content.security.policy.strictness.enabled
(e.g. -Dhttp.header.security.content.security.policy.strictness.enabled=false)
The CSP report-only mode is disabled when the property above is enabled (set to true).
Handling eval removal
Remove eval and eval-like operations from the codebase. They are harmful and have no safe alternative. Implement features without eval and block direct and indirect uses. Examples include:
Function constructor
Calls to setTimeout or setInterval with string arguments
Dynamically adding scripts using
.htmlor.writeusages of underscore’s template method (_.template) will not work as it would throw an eval violation
Handling inline scripts
Remove inline and add event handlers along with handling key events where applicable
Move code in script tags to separate js file or add nonce attribute to the script tag
Adding nonce in VM files<script type="text/javascript" nonce="$!request.getAttribute('cspNonceId')">Adding nonce in soy files// Get nonce value from request object public String getNonceId() { HttpServletRequest request = getActiveRequest(); if (request != null) { Object nonceId = request.getAttribute("cspNonceId"); return nonceId != null ? nonceId.toString() : ""; } return ""; } // Set the nonceId to the soy files data mapping .put("nonceId", getNonceId()) // set the nonce value in the template <script type="text/javascript" {if $nonceId}nonce="{$nonceId}"{/if}>- For scripts using external urls, allow the domain in the CSP HeaderAdd the following dependency in your pom file.
<dependency> <groupId>com.atlassian.security</groupId> <artifactId>atlassian-secure-api</artifactId> <scope>provided</scope> </dependency>Create a CSP fragment in atlasian-plugin.xml<csp name="onboarding-youtube-scripts" key="onboarding-csp-fragment" class="<FULL CLASS PATH LIKE(COM.YOUR.APP.CLASS)>"/>Create the Class Filepackage <PACKAGE_NAME> import com.atlassian.security.csp.api.CspDirective; import com.atlassian.security.csp.api.CspFragment; import java.net.URI; import java.util.Set; /** * CSP Fragment to whitelist a url * Registered via the {@code <csp>} module descriptor in atlassian-plugin.xml. */ public class CLASS_NAME implements CspFragment { private static final Set<URI> SCRIPT_ORIGINS = Set.of( URI.create("<URL>") ); @Override public Set<CspDirective> getCSPDirectives() { return Set.of(CspDirective.SCRIPT_SRC); } @Override public Set<URI> getCSPOrigins(CspDirective cspDirective) { if (CspDirective.SCRIPT_SRC == cspDirective) { return SCRIPT_ORIGINS; } return Set.of(); } @Override public Set<String> getUrlPatterns() { return Set.of("/**"); } }
JQuery 4 upgrade
Status: DONE
We’re upgrading to jQuery 4 to align all Data Center products on a single version. This update will make developing cross-product apps easier, especially for products currently using older versions of jQuery. As part of this change, we're also removing jQuery migrate.
Because much of our frontend code depends on jQuery, this upgrade will likely require updates to your apps and custom integrations. To help you prepare, we’re backporting as many compatible changes as possible to the following product versions:
Jira Software 11.3
Jira Service Management 11.3
Confluence 10.2
Bamboo 12.1
Bitbucket 10
Crowd 7
This allows you to test your apps for jQuery 4 compatibility without worrying about other breaking changes.
Additionally, AUI 10.1 now supports jQuery 4. We’ll continue to provide jQuery web resources and ask that you use them so we can roll out security patches quickly when needed. While jQuery 4 will be included in future Early Access Program (EAP) releases, it might not be available in the first few versions.
Frontend AMD and WRM resources removal
Status: IN PROGRESS
Removed AMD module: confluence/tooltipReplacement: AUI Tooltip component
Removed global: AJS.Tooltip
Removed AMD module: confluence/tooltip
Removed web resources: confluence.web.resources:tooltip and com.atlassian.confluence.plugins.confluence-frontend:tooltip
JQuery plugins removal
Status: DONE
As part of the jQuery upgrade, we have removed the following jQuery plugins from Confluence and no replacement is provided.
Fancybox plugin
Usage (unsupported from 11.0): $jqueryElement.fancybox([settings])
Replacement: not provided, plugins need to bundle their own copy of the plugin if needed.
Removed web-resources:
com.atlassian.confluence.plugins.confluence-frontend:jquery-fancy-boxconfluence.web.resources:fancy-box
JSON plugin
Usage (unsupported from 11.0): $.toJSON(str)
Replacement: JSON.stringify() - JavaScript | MDN
Removed web-resources:
com.atlassian.confluence.plugins.confluence-frontend:jquery-json
Mousewheel plugin
Usage (unsupported from 11.0): $jqueryElement.on('mousewheel', handler)
Replacement: Element: wheel event - Web APIs | MDN
Viewport plugin
$jqueryElement.viewport([settings])
Replacement: not provided, plugins need to bundle their own copy of the plugin if needed.
React 19 upgrade
Status: IN PROGRESS
We're upgrading to React 19. React is a core frontend dependency in DC products and a dependency for other important frontend libraries such as Atlaskit. Because of this, Marketplace apps using React will also need to upgrade to React 19.
Areas affected by this upgrade:
com.atlassian.plugins:reactweb resource will now provide React 19Clientside Extensions (CSE) will now use React 19
As we learn more and develop tools to help with the migration, we will update the developer documentation.
More details can be found in community post at React 19 upgrade in Data Center (Jira 12, Confluence 11, Bitbucket 11, Bamboo 13, Crowd 8)
Implemented changes
In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.
EAP 04 – 06 May 2026
Milestone 11.0.0-m148
Contains:
Look and Feel customization editing is now disabled by default
- CSP strict mode enabled by default
- JQuery Fancybox and JSON plugins removed
- Minor bug fixes
EAP 03 – 08 April 2026
Milestone 11.0.0-m116
Contains:
A stricter Content Security Policy (CSP) is now configurable via a system property
- A default outbound request denylist has been added as protection against SSRF
- Minor bug fixes
- JQuery 4
EAP 02 – 3 March 2026
Milestone 11.0.0-m79
Contains:
- Look and Feel layouts editing now disabled by default
- Minor bug fixes
EAP 01 – 10 February 2026
Milestone 11.0.0-m55
Contains:
- Custom HTML editing now disabled by default
- Minor bug fixes
Looking for updated documentation? Check out the Confluence EAP space for the latest docs.
Did you know we’ve got a new developer community? Head to community.developer.atlassian.com/ to check it out! We’ll be posting in the announcements category if when new EAP releases are available.