Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
Description
Hello,
Recently I have been alerted to some security issues by our compliance teams. They have informed me of CSP issues on Confluence, essentially making it potentially susceptible to XSS attacks. To resolve this issue there has been a suggestion made.
Replace insecure traffic (served over HTTP) with secure traffic upgrade-insecure-requests. The default setting for all the -src directives. Preferred 'none', but 'self' or your CDN domain is fine. - If not specified the default for all the *-src directives is `` default-src 'none’. Always configure, regardless of your `default-src` setting. Console services cannot use object, embed or applet elements. object-src 'none’.
This is something that Confluence can fix to prevent this level of vulnerability. What other measures does this system take to help CSP issues?
Attachments
Issue Links
- mentioned in
-
Page Loading...