Our documentation on Best Practices for Configuring Confluence Security has not been updated since 2017, which also links to a Tomcat security best practices article that hasn't been updated since 2011 itself. During that time, the newest versions of Confluence are now utilizing Tomcat 9 and it's not certain if the same suggestions there are still recommended in 2021. There has also been growing demand for guidance on the CIS benchmark and/or STIG compliance.

It's suggested that these articles get updated to provide up-to-date recommendations on hardening Confluence and Tomcat.