-
Improvement
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
true
Problem Statement:
We need to be able to turn off the X-Seraph-LoginReason response header in Confluence or align the values it provides when a user is present/not present due to security concerns around user enumeration.
While using Confluence's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:
- AUTHENTICATION_DENIED
- AUTHENTICATED_FAILED
- OK
This allows an attacker to adjust their methods to account for the result in an effort to access Confluence
There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.
Workaround
No workaround is currently available at this time.
- is cloned from
-
CONFSERVER-96013 X-Seraph-LoginReason response header improvements
- Gathering Interest