Problem Statement:

We need to be able to turn off the X-Seraph-LoginReason response header in Confluence or align the values it provides when a user is present/not present due to security concerns around user enumeration.

While using Confluence's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:

• AUTHENTICATION_DENIED
• AUTHENTICATED_FAILED
• OK

This allows an attacker to adjust their methods to account for the result in an effort to access Confluence

There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.

Workaround

No workaround is currently available at this time.