we’ve recently been made aware of the fact that our Confluence app’s servlets do not deliver the HTTP security headers that are delivered by default by Confluence (Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection response headers).
These same headers are delivered without a problem on the Jira version of our app.
Does anyone know why this works on Jira and not on Confluence?
PS: UPM has the same problem.
PPS: Tested on the latest enterprise releases of Jira (7.6.9) and Confluence (6.6.9)
PPPS: I have seen https://developer.atlassian.com/server/confluence/enabling-xss-protection-in-plugins/ and this seems to be unrelated (setting the described option does not cause these headers to be set)