Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-96013

X-Seraph-LoginReason response header improvements

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Statement:

      We need to be able to turn off the X-Seraph-LoginReason response header in Confluence or align the values it provides when a user is present/not present due to security concerns around user enumeration.

      While using Confluence's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:

      • AUTHENTICATION_DENIED
      • AUTHENTICATED_FAILED
      • OK

      This allows an attacker to adjust their methods to account for the result in an effort to access Confluence

      There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.

      Workaround

      No workaround is currently available at this time.

            Unassigned Unassigned
            10fa531f7f9c Harrison
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: