Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configure certain Confluence pages to never be cached by browser

Tony Poppleton
Tony Poppleton May 23, 2012

Some pages in our wiki hosted on Confluence contain very sensitive information. Is there a way to ensure that browsers are told to not cache these pages locally?

For example if someone were to login to Confluence from a public computer, we don't want our data persisting in the local browser cache on that computer.

The ideal solution would be for a per-page setting, however even a wiki-wide setting would be useful.

Thanks

Answer
Watch
Like Sergey Svishchev likes this
1870 views

2 answers

1 accepted

1 vote
Answer accepted
David at David Simpson Apps
David at David Simpson Apps
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 23, 2012

To remove caching in Apache, check these examples:

http://www.askapache.com/hacking/speed-site-caching-cache-control.html

I'd expect that you'll want to cache images, CSS, JS etc.

You could potentially do this for a single space only using some kind of regexp, but that may be a little tricky.

You'll likely want to enable HTTPS too so that no one can snoop on the data while it's being transfered.

Reply
2 votes
Joerg Bencke2
Joerg Bencke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 23, 2012

Hi Tony,

that has nothing to do with confluence. You need to enclose the proper HTML command (a meta pragmato "always refresh this page".

Set up a usermacro or a page with the html-code stub and include it in those pages, where you need it. Either on a page or in the theme-configuration, if it should be included with all pages in that space.

For ease of administration and theme-wide application, you might want to make that a tag-dependend usermarcro. This way, you can search for pages with that restriction and each page checks at runtime, wether it should be cached in the client.

For further reading : http://www.htmlgoodies.com/beyond/reference/article.php/3472881/So-You-Dont-Want-To-Cache-Huh.htm

Josh

View More Comments
Tony Poppleton
Tony Poppleton May 23, 2012

Hi Josh,

Thanks for the response.

Having read a little more about caching via your link and google, it seems the most reliable way is to modify the HTTP headers of the server, rather than modify the HTML as you suggest (which works in some browser but not all, and is ignored by any proxies, which is why HTTP headers are the recommended solution)

So in this case that would be the Apache server that runs Confluence, and it would affect caching across the entire wiki not just the sensitive pages, but I am happy with that tradeoff for the added security. Do you have any information on how this could be achieved?

It is probably fairly common for sensitive information to be stored in the wiki, and the last place you want passwords/credit card info stored is in the local cache of a browser as that is one of the first places hackers will look. Do you know if there is already a feature request for a per-page setting in Confluence where users can mark a page as containing sensitive info? In fact, it could even suggest marking a page as sensitive if the word "password" is found in the content.

Digressing slightly, but in a similar vain, a password widget would be useful - similar to how Chrome & Firefox display your stored passwords in the preferences, where by default they appear censored with a "show" button along side it.

If these feature requests don't already exist, I will consider adding them. Any comments welcome.

Thanks

Like
Joerg Bencke2
Joerg Bencke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 24, 2012

Hi Tony,
for the apache cache, see the other answer.

One sidenote about "storing sensitive information", I dont know about anything about the featurerequests, you will have to check the Jira site. For the rest - that depends on the protectionlevel you need. But the central question : would the wiki be a place to store sensitive information at all ?

If so, you will have to harden the plattform and server as well massively unless you want to stand in line with the sonys, ...... (insert long line of hacked servers with stolen creditcarddata etc.) of this world.

Anything from restricted userbase, token-authentication, vpn access aoo the way to terminalserver access. Just as a reminder :)

Abotu the widget - check out the truecrypt project. Might be an approach

Like
Tony Poppleton
Tony Poppleton May 26, 2012

Thanks Josch. Yup server is already fully hardened, and the only access to Confluence & Jira is via SSH tunnels, and the disks are fully encrypted.

We have come up with the lazy solution to educate all staff to use the private mode in their browsers whenever they browse the wiki, to avoid any local caching. This is obviously not enforcable, but it is a quick and easy solution until we implement the Apache caching mentioned in the other answer

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events