This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 9.0.

Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.

Latest milestones

Issues with this milestone?

Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.

Planned changes: experience improvements

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone. 

Opt-in OpenSearch engine to be available in Confluence 9.0

Status: DONE

Our work on introducing OpenSearch as an opt-in search engine is ahead of schedule, and we plan to include it in our release of Confluence 9.0. This will provide more advanced indexing options, leading to less processing requirements and faster search results. Note that OpenSearch can be used as an alternative to Lucene, but Confluence 9.0 will still use Lucene by default.

To get started, visit the OpenSearch upgrade guide.

Removal of custom language syntaxes from Code Block macro

Status: DONE

We've removed the Add New Language feature from the Code Block macro and all associated back-end APIs. This change improves the security and stability of our platform.

If custom languages have already been added to your system, we recommend that you manually uninstall them because they will no longer work. Explore more information about the Code Block macro.

If your system has no custom languages, there is nothing you need to do.

Note that this change was made in the recently released Confluence 8.9.4.

Bug in application link between Confluence 9 and other Data Center products

Status: DONE

Creating new application links between incompatible versions of Confluence 9.0 and other Data Center products will not work as expected.

For more details, check out a workaround for the issue with application links.

Removal of JAACS setup via setup wizard in Confluence 9.0

Status: DONE

To reduce technical debt and simplify the installation flow, we've removed the option to set up Jira as a Crowd Server (JAACS) from the setup wizard in Confluence 9.0. This change simplifies the setup process and prioritizes features most valued by our users.

Administrators looking to integrate user management between Confluence Data Center and Jira Software Data Center can now configure JAACS post-setup through Administration > General Configuration > User directories > Atlassian Jira.

Find out more details on how to connect Confluence to Jira applications for user management.

Trusted Application endpoint access restricted

Status: DONE

Access to Trusted Application endpoints is now limited to system administrators. We recommend using OAuth for application links since the deprecation of Trusted Applications.

Explore our more detailed upgrade instructions for updating application links to use OAuth.

Dark theme for Confluence

Status: DONE

We are planning to ship dark theme in Confluence 9.0. Work is currently underway, though you can check out the latest details about dark theme.

Make sure you've read the developer guidance on preparing your Data Center app for the dark theme. You can also start testing your apps with the new theme using the theme.switcher dark feature. 

Additionally, you can add the dark feature confluence.dark.theme.text.colors to enable text and table background color conversion in the content. This will convert the text colors and table background colors to the closest match from the new palette, introduced in 8.9, to provide full light and dark theme compatibility.

As a result of the changes we made to the editor color palettes in Confluence 8.9, the release of dark theme means that all colors in the editor will now be converted to match the updated color palettes and you will no longer be able to customize these palettes using the temporary workaround.

Check out our guide how to set up dark theme.

New REST APIs for content management

Status: DONE

Access more REST APIs to help you automate, script, and scale tasks related to:

• watchers

• labels

• attachments

• page moves

Check the new REST API documentation (see below for the updated Swagger link and important info) for the new methods to use.

Confluence REST API documentation to be Swaggerfied

Status: DONE

We’re modernizing the look and feel of our Confluence Data Center REST API documentation by migrating it to Swagger. As well as all the cosmetic benefits we’re getting from the Swagger API documentation framework, this migration will make our API docs easier for you to navigate, find examples, and copy snippets from. The modernized REST API also has a new location! 

We've migrated all existing and new API content to Swagger, and while some minor fixes are still underway, it's now available for you to explore.

Visit our new REST API documentation to preview its capabilities.

Planned changes: security & compliance (upgrades, removals, & functionality)

Check your webpack config is up to date

Status: DONE

We’ve carried out some page weight reduction work that may affect your apps if you haven't configured your webpack (or other JS bundler) builds correctly. The changes are:

• In most places, Confluence now uses the @atlassian/browserslist-config-server browserslist config to directly support the latest two versions of Chrome, Edge, Firefox and Safari only. For views that also support mobile, it directly supports the latest two versions of iOS Safari, Android Chrome and Android WebView.

• Confluence no longer serves the whole of core-js@3.37.0, but only what's needed to polyfill current browsers for stable features from core-js@3.37.0. This change should have no impact because browsers are already serving the rest of the features.

• Confluence no longer serves the polyfills whatwg-fetch polyfill and AbortController. This change should have no impact because browsers have had relatively consistent support for these features for some years.

• Confluence no longer serves regenerator-runtime. This will break code that uses async, or async generators, which is transpiled to previously work on all browsers that did not yet support these ES2017 and 2018 features.

We recommend that any affected components adopt @atlassian/browserslist-config-server in their browserslist config too, so that they can be sure to stay compatible with the browsers that all Atlassian DC products and UI frameworks also support.

Editor TinyMCE 7 upgrade

Status: DONE

We're in the process of upgrading the Confluence editor from TinyMCE 6 to TinyMCE 7, and we plan to ship the upgraded editor in Confluence 9.0. Beside bug fixes, we expect no impact to end users.

We’ll keep you updated here about the changes we make to prepare for the upgrade. See TinyMCE’s guide for migrating from TinyMCE 6 to TinyMCE 7 to begin preparing your apps.

Upgrades to jQuery

Status: DONE

As part of our ongoing efforts to ensure our platform remains secure and efficient, we will remove jQuery migrate 1.4.1 from Confluence 9.0 We plan to remove jQuery version 2.x, and to update our platform to jQuery 3.x.

Read more details in our jQuery upgrade guide.

Platform 7 upgrade

Status: DONE

Confluence 9.0 will include an upgrade to Atlassian Platform 7. This upgrade puts us in a better position to respond to security changes with reduced disruption and breaking changes for your apps.

As part of this work, we will:

• upgrade numerous Atlassian and third-party components to benefit from the latest security patches and bug fixes

• remove ‘Gray APIs’ (unsupported third-party and cross-product libraries with dependencies – more on this below)

As a result of this work, we will:

• rearchitect Atlassian REST APIs (Jackson/Jersey updated, and updated JAX-RS to v2)

• reduce public APIs in Atlassian apps, WRM, and web fragments

Many of the newly defined APIs will become available in the upcoming 8.x feature releases, starting with Confluence 8.7. See REST API developer documentation for an updated list.

Proactively migrating away from code that is marked as deprecated will ensure a smoother upgrade to Confluence 9.0.

Read more about how to prepare for the Platform 7 upgrade here.

Gadgets removal

Status: DONE

Removing the Gadgets package from Confluence has been a long-planned tech debt removal, and has finally been completed.

Vendors who have Jira Gadgets that they wish to provide inside Confluence will now need to provide Confluence macros to achieve the same outcome from Confluence 9.0 and beyond.

Refactoring and scope reduction of ConfluenceActionSupport

Status: DONE

In Confluence 9.0, ConfluenceActionSupport has been stripped down to its essentials. Any missing methods or fields that your Action classes relied on should now be implemented directly in your Action class instead.

Existing functionality on short pause

Status: DONE

As part of our Platform 7 upgrade, we’ve needed to temporarily pause some Web Resource Manager (WRM) functionality. In EAP release 13, we deactivated some features, listed below. We’re now reactivating some. We’ve added “reactivated” or “still deactivated” so you can make use of the reactivated features.

• Confluence Cloud Migration Assistant (reactivated)
• Retention Rules (reactivated)

• Personal Access Tokens (reactivated)

• Troubleshooting & Support (reactivated)

• Zero Downtime Upgrade (reactivated)

• Editor CSS may not load properly (reactivated)

• Using the Edit button to edit a page, or editing page comments may not work: open the editor in a new tab if you’re experiencing issues (reactivated)

Note that these are temporary deactivations for this release while we integrate Platform 7 into Confluence 9.0.

Version 3.0.x of pocketknife-dynamic-modules now available

Status: DONE

We’ve released a new version of the pocketknife-dynamic-modules library as a workaround to provide compatibility with Platform 7.

• The existing version (pocketknife-dynamic-modules 1.1.1) remains compatible with Confluence versions up to 8.9.

• The new version  (pocketknife-dynamic-modules 3.0.x) will work with Confluence 9.0 and later.

Note that pocketknife-dynamic-modules 2.0.0 is compatible with Confluence 8.8 and 8.9 only, so you can skip using that version.

Removing the legacy backup and restore system

Status: DONE

In Confluence 8.3, the backup and restore system underwent a complete upgrade with visible improvements to performance, stability, functionality, and appearance. The benefits of the upgrade include:

• faster XML backup and restore operations with performance that is up to 10 to 50 times faster, based on the instance size

• the ability to backup and restore multiple spaces, instead of the entire site

• more visibility and control with the ability to cancel backup and restore jobs

• improved reliability and reduced resource consumption

Learn more about these changes in the Confluence 8.3 Release Notes.

As part of Confluence 9.0, we plan to remove the legacy backup and restore system. This means that scheduled backups, which still uses our legacy system, will be no longer available. Scheduled XML backups are disabled by default in Confluence Data Center.

We don't recommend relying on XML backups as a main backup method. Instead, we recommend regularly backing up the database, installation directory, and home directories. See Production Backup Strategy for recommended methods.

For backups of test sites, or in addition to database and directory backups, we recommend using the upgraded backup and restore system’s documented API that makes managing these tasks easier and also allows for the automation of heavy or large site merges and space migrations.

Removing support for Java 11

Status: DONE

Java 11 will no longer be supported. Confluence 9.x will support Java 17 and 21.

Check out the end of support announcements.

Removing deprecated code

Status: DONE

We will remove deprecated code paths in earlier Confluence versions. See Deprecated code paths removed in 9.0 for a full list of the classes and methods removed.

Changes like this help us maintain a healthy code base, remove hurdles for developers, and simplify the code structure where possible. 

As we approach the final stages of the development cycle for Confluence 9.0, we’re reducing the number of code removals. Most remaining changes will be limited to our work on the Platform 7 REST re-architecture.

Velocity template and allowlist security improvements

Status: DONE

We're making steps towards verifiably secure installation directories for all Data Centre products. These changes not only increase the difficulty for an attacker to exploit filesystem access, but also allow customers to verify the state of the product installation.

From Confluence 9.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside .jar files and bundled within plugins will not be affected.

In addition, all method invocations within a Velocity template must be explicitly allowlisted. The only exception to this are getter methods on Struts Action classes, which will be auto-allowlisted.

For more information, visit Configuring the Velocity method allowlist and Configuring the Velocity file and file type allowlist.

Struts Velocity directives no longer supported

Status: DONE

Struts Velocity directives (e.g. #scomponent, #stextfield, #scheckbox, #ssubmit and all others beginning with #s) are no longer supported. If you utilize these in your Velocity templates, please migrate to the raw HTML equivalent.

Example migration from:

#scomponent("name='personalInformation'" "template='textarea.vm'" "theme='aui'" "label='personal.info'" "rows=8" "cols=70") #end

to

<div class="field-group">
    <label id="personalInformation-label" for="personalInformation">About Me</label>
    <textarea id="personalInformation" name="personalInformation" cols="70" rows="8" class="monospaceInput textarea"></textarea>
</div>

Struts Actions XSRF protection enabled by default

Status: DONE

Previously, all Struts actions accepted any HTTP request methods, unless explicitly restricted through a @PermittedMethods annotation or a permittedMethods Action parameter in the Struts module descriptor.

From 9.0, Struts actions that do not have the above annotation or configuration parameter will by default only accept POST requests. Actions that map to the method name doDefault will additionally accept GET requests by default. To avoid unexpected behaviour we recommend explicitly annotating all Struts action methods with @PermittedMethods or configuring permittedMethods Action parameters in your Struts module descriptor.

Additionally, all non-GET requests will require an XSRF token by default and you will need to ensure you pass a token when calling such endpoints. While we recommend that you configure your Action permitted methods so this is not an issue, explicitly opting in and out an Action of token requirements is also possible.

Refer to the documentation for further details.

More secure defaults for endpoints

Status: DONE

We’ve enabled better control access to endpoints with new annotations. From Confluence 9.0, only licensed users can access resources without specified access criteria annotations. Make sure you review:

• @AdminOnly

• @AnonymousSiteAccess

• @LicensedOnly

• @SystemAdminOnly

• @UnlicensedSiteAccess

• @UnrestrictedAccess

Reviewing these will ensure that the intended users can access your application endpoints. You may need to make changes to endpoints such as Struts Actions, Filters, Servlets and REST resources.

Visit Prepare your Data Center app to comply with secure endpoint defaults for full details.

Removal of Gray APIs

Status: DONE

We will remove the ability for your apps to load many third-party libraries as well as a few Atlassian-specific libraries from the Confluence application (we’re calling this group of libraries ‘Gray APIs’). You will need to start bundling your own copies of these libraries with your apps if you wish to continue using them. We have been marking libraries as deprecated from Confluence 8.7 to 8.9.

This upgrade will allow us to improve Confluence more frequently without breaking your app or requiring you to do significant testing and rework when things change.

See our developer guidance on how to get your apps ready for the Gray API removal, which includes a list of deprecated code paths to be removed in 9.0.

New default HTTP security headers

Status: DONE

In Confluence 9.0, all served requests will have the following headers placed on them:

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' applinks.domain
Strict-Transport-Security: max-age=31536000

Note that these can be customized globally by the customer using the following existing system properties.

• http.header.security.disabled

• http.header.security.hsts.max.age

• http.header.security.hsts.preload.enabled

• http.header.security.hsts.include.subdomains

• confluence.clickjacking.protection.disable

• http.header.security.content.security.policy.disabled

• http.header.security.content.security.policy.value

The following plugin opt-out mechanisms are supported:

• Plugin servlets, using the init param, securityHeadersExcluded=true
• Plugin servlet-filters, using the init param, securityHeadersExcluded=true

Discover how to exclude servlet URLs and servlet-filter URLS from Confluence’s default security headers

Embedded Crowd upgrades in progress

Status: DONE

We're upgrading Embedded Crowd to version 6. This update will enhance performance, expand our toolbox with new features compatible beyond Confluence 9.0, and streamline future upgrades of Embedded Crowd.

Visit the Preparing for Crowd 6.0 page for more details.

New health check for improved backup security

Status: DONE

The Atlassian Troubleshooting and Support app (ATST) will be upgraded to version 2.0.0 and equipped with a new check for Local Backup Security. This health check warns about any stored backups in Confluence's file system, which may expose confidential data in the event of an attack.

The new health check will be available by default in Confluence Data Center 9.0.

Version 2.0.0 of the app is available only for Confluence versions 9.0 and beyond. If you’re using Confluence 8.9 or earlier, you can still use version 1.x.x, which you can install and upgrade through Atlassian Marketplace.

Beyond 9.0 planned changes

OpenSearch opt-in feature ready for early access

Status: ADVANCE NOTICE

We’re working to introduce OpenSearch as an opt-in search engine in an upcoming feature release of Confluence 9.x. It will not be part of Confluence 9.0. This will provide more advanced indexing options leading to less processing requirements and faster search results.

As part of our Early Access Program (EAP), we’ve updated the OpenSearch upgrade guide, to include links to new content on how to set up OpenSearch, and information on what's currently working and what we're still working on, should you wish to test during the EAP phase. At this early stage, OpenSearch during EAP is not suitable for production environments, but we invite you to try it on your testing environment.

Contact us on osfc@atlassian.com, or via our customer support channel.

Two-step verification in Confluence

Status: ADVANCE NOTICE

We’re working on improving the security of our login experience for Confluence by allowing customers to add a second authentication layer.

The new login process will support a built-in two-step verification (2SV) capability using time-based one-time password (TOTP) as a second factor.

We’re happy to announce that we’re launching an Early Access Program (EAP) to seek feedback for the prototype of this solution and invite you to take part in this. See the recent Atlassian developer changelog entry for updates, useful links and videos.

Implemented changes

In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.

RC 2 –  22 July 2024

Milestone 9.0.0-rc2

Contains:

• Reactivated Confluence Cloud Migration Assistant
• Minor bug fixes

RC 1 –  15 July 2024

Milestone 9.0.0-rc1

Contains:

• Opt-in OpenSearch search engine 
• Trusted Application endpoint access restricted
• Minor bug fixes

Beta 2 –  8 July 2024

Milestone 9.0.0-beta3

Contains:

• Deprecatred code removals
• Embedded Crowd upgrades
• Minor bug fixes

Beta 1  –  1 July 2024

Milestone 9.0.0-beta2

Contains:

• Removal of custom language syntaxes from Code Block macro
• Removal of JAACS setup via setup wizard
• Minor bug fixes

EAP 23 – 24 June 2024

Milestone 9.0.0-m132

Contains:

• Minor bug fixes

EAP 22 – 17 June 2024

Milestone 9.0.0-m123

Contains:

• Confluence REST API now in Swagger

• Dark theme

• Allowlist method invocations within your Velocity templates

• Minor bug fixes

EAP 21 – 11 June 2024

Milestone 9.0.0-m116

Contains:

• Minor bug fixes

EAP 20 – 3 June 2024

Milestone 9.0.0-m109

Contains:

• Upgrades to jQuery 3.x
• New healthcheck for local backup security
• Minor bug fixes

EAP 19 – 27 May 2024

Milestone 9.0.0-m97

Contains:

• Minor bug fixes

EAP 18 – 21 May 2024

Milestone 9.0.0-m92

Contains:

• New default HTTP security headers
• Minor bug fixes

EAP 17 – 13 May 2024

Milestone 9.0.0-m81

Contains:

• Webpage changes: check your webpack config is up to date
• Reinstatement of most of Web Resource Manager functionality
• Allowlist your Velocity files on the filesystem
• Allowlist your Velocity file types for files on the filesystem
• Breaking changes and minor bug fixes

EAP 16 – 6 May 2024

Milestone 9.0.0-m72

Contains:

• Platform 7 upgrade
• More secure defaults for endpoints
• Minor bug fixes

EAP 15 – 29 April 2024

Milestone 9.0.0-m57

Contains:

• Version 3.0.x of pocketknife-dynamic-modules now available
• Struts Velocity directives no longer supported
• Minor bug fixes

EAP 14 – 22 April 2024

Milestone 9.0.0-m48

Contains:

• Struts Actions XSRF protection enabled by default
• Decomposition of ConfluenceActionSupport
• Minor bug fixes

EAP 13 – 16 April 2024

Milestone 9.0.0-m41

Contains:

• New REST APIs
• Tiny MCE upgrade
• Temporary pause of some Web Resource Manager functionality
• Removal of Gray APIs
• Removal of legacy backup and restore system
• Minor bug fixes

EAP 12 – 8 April 2024

Milestone 9.0.0-m30

Contains:

• Added dark feature for dark theme color conversion
• Minor bug fixes

EAP 11 – 2 April 2024

Milestone 9.0.0-m26

Contains:

• Added OpenSearch as EAP for a later release
• Minor bug fixes

EAP 10 – 25 March 2024

Milestone 9.0.0-m23

Contains:

• Minor bug fixes

EAP 9 – 18 March 2024

Milestone 9.0.0-m16

Contains:

• Minor bug fixes

EAP 8 – 11 March 2024

Milestone 9.0.0-m15

Contains:

• pocketknife-dynamic-modules versions 1.1.1 and 2.0.0
• Minor bug fixes

EAP 7 – 4 March 2024

Milestone 9.0.0-m14

Contains:

• Minor bug fixes

EAP 6 – 27 February 2024

Milestone 9.0.0-m13

Contains:

• Upgraded to SLF4J 2 (Simple Logging Facade for Java)
• Fixed default serialization for REST v2 for JodaTime and java.time
• Upgraded to platform 7.0.0-m20, including breaking changes in atlassian-event, including removal of Event interface

EAP 5 – 19 February 2024

Milestone 9.0.0-m11

Contains:

• Minor bug fixes

EAP 4 – 12 February 2024

Milestone 9.0.0-m10

Contains:

• Minor bug fixes

EAP 3 – 5 February 2024

Milestone 9.0.0-m09

Contains:

• Minor bug fixes

EAP 2 – 29 January 2024

Milestone 9.0.0-m08

Contains:

• Minor bug fixes

EAP 1 – 22 January 2024

Milestone 9.0.0-m07

Contains:

• Removal of deprecated code paths
• Minor bug fixes