Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-93651

Remove PII from /users endpoint URLs

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • Security
    • None
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Currently accessing the /users endpoints (and there are probably other similar endpoints) include usernames in the GET requests URLs:

      • /followuser.action?username=myname&mode=blank
      • /users/viewfollow.action?username=myname
      • /users/viewuserprofile.action?username=myname

      This allows an attacker to obtain PII from server logs, browser history, etc.

      It would be more secure to include the username in the request/response body instead.

      Attachments

        Activity

          People

            Unassigned Unassigned
            caronson Cole Aronson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: