Hello,
Currently I’m developing a Confluence Plugin for Cloud enviornments, and I’m worried about data security. By creating this plugin, I doubt about any other Confluence plugin security.
I know there is a security program, but it relates to stored data, not network traveling data. Indeed, Confluence api encourages to send data in a non-secure way.
The problem here is that I want to notify about the problem I see, but I’m not sure about where to apply. I will explain it.
All communications with Confluence are done by HTTPS. That’s fine. But HTTPS doesn’t encrypt the URL itself. According to documentation, a Confluence Dynamic Content Macro cannot use POST protocol, so any Dynamic Macro with {macro.body}
parameter will send data in the url, that is, in clear text.
Following the thread, Static Content Macros may use the renderingMethod GET so, they could have the same problem.
Indeed, in these two scenarios, it is possible to avoid the {macro.body} parameter and request the body to the server always, but this is going to be slower than using it (until macro.truncated=True). So, secure plugins will be slower than unsecure ones.
Finally, once the Editor is loaded, Plugin developers are running any JavaScript code they want, so potentially they could send a request over GET or an AJAX request over HTTP sending data in an insecure way.
I must say I already found at least two of these problems in the only plugin I’ve being looking.
So…
How much should I trust on the Atlassian Security program?
Do yo know if there will be future improvements in order to certify communications too?
How can my plugin (using GET minimal data and then POST and cyphered data for any server connection) show that it is more secure than others?
How should I send these concerns to Atlassian?