[CONFSERVER-93651] Remove PII from /users endpoint URLs - Create and track feature requests for Atlassian products.

We couldn't load the project sidebar. Refresh the page to try again.
If the problem persists, contact your Jira admin.

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Security
Labels:
None

Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Currently accessing the /users endpoints (and there are probably other similar endpoints) include usernames in the GET requests URLs:

/followuser.action?username=myname&mode=blank
/users/viewfollow.action?username=myname
/users/viewuserprofile.action?username=myname

This allows an attacker to obtain PII from server logs, browser history, etc.

It would be more secure to include the username in the request/response body instead.

Form Name

There are no comments yet on this issue.

Assignee:: Unassigned

Reporter:: Cole Aronson

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 14/Dec/2023 9:46 PM

Updated:: 14/Dec/2023 9:48 PM