Hide details and stack trace information in the error pages of your Confluence environment
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
Summary
Some error pages can reveal information about the product version or other details in your browser, which may imply a security risk.
For example, a standard error page in Tomcat looks like this:
The following steps can help suppress almost all of the info from these kind of error messages.
Steps
In most common infrastructures, there are three components that can allow these error messages to be exposed.
Confluence
In what matters to our Confluence product itself, this security concern was addressed on version 7.13.5 under: CONFSERVER-55306 - Getting issue details... STATUS
Confluence stack trace page will only be visible when Developer Mode is enabled.
Tomcat App Server
In Tomcat, the file server.xml needs to be edited, and a new ErrorReportValve needs to be added by following the steps below:
- Edit the file
<install-directory>/conf/server.xml - Search for the parameters
<Host name= Just below that line, insert the following parameters:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />Restart application
- The Error page will look like follows now:
The HTTP response code will not be affected by the above steps
Reverse Proxy/WebServer
You may have a Reverse Proxy/WebServer on front of your Confluence environment.
For example, in Apache WebServer you can use the directive ErrorDocument directive to detect these errors and redirect the users to a message or a different page without showing the actual error page. Additional information is available in Custom Error Responses.
Other reverse proxies may have different configurations. Check the proxy/webserver documentation or contact your provider for additional support.