Removing anonymous access to undocumented endpoints in Confluence Cloud

Hi all,
We’ve identified many resources and endpoints within Confluence Cloud that are publicly accessible (ie, anyone with an internet connection can access them, regardless of whether the tenant has anonymous access enabled or not).

While most of these endpoints are harmless, to reduce our exposure to security incidents we’re going to imminently roll out a change to deny access to them to anonymous users.

We don’t expect any vendors to be relying on any of these endpoints, as none of them are publicly documented. However, if you do run into issues due to this change, please let us know below and we will reach out to learn more about how you’re using this resource.

1 Like

Not saying that we(the developers that build on the atlassian cloud platform) don’t trust ya’ll but the past couple of months have seen changes being pushed through under the cover or announced as “it’s not going to break anything” but having impact on things still. We’ve had repos removed with the excuse of “oops - didn’t mean to do that - it will take us a month or two to get it back”.

So - can we get a list of the end points being removed at least after they’ve been removed?

I will say though that it is appreciated to get the heads up (even though it’s 0 days)

1 Like

We are using REST API /rest/prototype/1/search/group.json?query=... in Confluence Cloud for group picker field to search groups by entered prefix. This is undocumented for Confluence Cloud but works :slight_smile:

I just checked that in our instance /rest/prototype/1/search/group.json is returning results for anonymous user but is not fails with authorization error when using the documented /rest/api/group. Is this “prototype” end-point one of the candidates for removal?

Kind regards,

Thanks for the notice, @rwhitbeck.
I read that this announcement is for Confluence Cloud - are you aware of any initiatives also for Jira Cloud?


1 Like

I’ve added a bit of clarity to the announcement, we are only checking and denying anonymous access to these undocumented resources and not removing them outright. Sorry for the confusion.

We’re not going to provide a list of the endpoints as that then makes them documented (also since we’re not removing them just denying access to anonymous users).