Hi, I am new to developing in Jira Cloud and using ACE.
I want to know if there are any risk if the atlassian-connect.json is exposed. Will users know how the Cloud app is implemented?
I tried searching around if it is possible to prevent other users from viewing the file but were not able to find anything. It will be great if someone can point me in the right direction or can answer my question if there are any security issues if the file is exposed.
Thanks for the help!
Hi @Potato123
The atlassian-connect.json file must be exposed publicly in order for your app to work.
There are no immediate security problems that result in doing this, and yes it does mean that curious users will be able to see exactly what functionality your app is providing to Jira.
An example of an indirect security problem that you should consider is that you cannot rely on things like display conditions or hiding UI elements in Jira to ensure that only authorised users can access your app. Any HTTP endpoint in your app can be invoked any time by any user from anywhere - just like any standard web application, you should ensure that all exposed endpoints have appropriate authentication and authorization.
Hope this helps!