This might be a noob question, but I didn’t find a definitive answer to this question reading the Atlassian resources about security.
My question is the following: If I want to offer an app for Confluence Cloud that, for example, is able to read and write attachments, do I need an active server that performs token validation for user authorization, or is it enough to serve the app resources statically like a webpage, and the app authenticates against the Confluence Cloud server?
I’m asking this because running an active server obviously comes with an increased effort and cost, e.g. for ensuring security and guaranteed uptime, keeping things up to date and so on.
I would really be glad if someone could shine some light on this topic. Thanks in advance.
Hi @jens.boehm 
This depends entirely on what your use case is. From a technical perspective you can have a purely static app if you make sure the authentication part in your atlassian-connect.json is set to none. As long as you can perform all actions in the frontend that’s completely fine. For certain things though it might only make sense to do them from your backend, so in that case you’ll need to set this to jwt and will also have to set up a database & server.
Depending on what your app does it might very well be that you’ll never need a backend for it. But maybe one day you’ll want to implement a feature that does require a backend and then you might have a hard time properly transitioning all your users over to the new version. So it might be smart to have a backend from the very beginning, even though you might not need it.
Another way to get around this would be to use forge. This however is still in beta and Atlassian so far has not made a public announcement on when/if this will become available for the Marketplace. Hope this helps!
Cheers,
Sven
2 Likes
Hi @sven.schatter, thank you very much for your answer! That sounds promising for our use-case.
Just to clarify, the security requirements document states that
“The application must authenticate and authorize all requests. Anonymous access to application endpoints and resources can be allowed in scenarios where it is needed.”
All our app does runs client-side. The server that hosts the app should only provide static, user-independent, cached assets without ever seeing any user-specific data. This will not change in the future. Is this covered by above requirement with authentication set to none?
I think this is absolutely okay for your use case, yes. If you checked some of the bigger Cloud apps on the Marketplace I’m sure you’d find that nearly all of them deliver their static resources publicly. 
1 Like
Thank you very much, @sven.schatter!
1 Like