Questions on Security for Confluence Add On intended for only Internal use

jungwoo.suh · May 26, 2017, 4:49pm

Hi Everyone,

We have a confluence cloud account we use.
We intend to make a confluence page that gets updated by a scheduled script everyday.
To create this page in confluence, we have to make it as an add on and of course need to host it somewhere.

Is there any way we can get around hosting this add on publicly? It seems for initial add (and for the regular use), we need to have a publicly accessible url to upload the atlasssian-connect.json file.

What restrictrions can we place on incoming http requests to this add on?

daniel · May 26, 2017, 6:21pm

You don’t need to have an add-on do this. You can use the rest api to make the updates with a dedicated user using it’s credentials.

If you still want to do an add-on - yes the add-on has to be available publicly. There are no “known” ips (at least not officially) for the atlassian cloud. However what you can do is just block all of the other tenants from the jwt tokens. See https://developer.atlassian.com/static/connect/docs/latest/concepts/authentication.html and https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html . You basically would only want your instance’s iss to come through.

jungwoo.suh · May 26, 2017, 6:23pm

Thank you. We’ll go with your first suggestion.