Page tree
Skip to end of metadata
Go to start of metadata


The Extended Restrictions tab inside the Space Privacy configuration allows you to whitelist add-ons which are not initially supported by Space Privacy.

Secure additional URLs

We did our best to secure all sensitive user data within Confluence and Linchpin. But there are many third-party apps which provide their own functions and may expose too much information in an extranet.


Add a custom filter

We let you choose to secure functions provided by third-party apps by simply blocking them for extranet users.

A URL (function) is blocked, if the user

  • is assigned to at least one extranet space AND
  • is not a user or space manager in at least one extranet space AND
  • is not a Confluence administrator AND
  • the visibility configuration is set to "Global and Space Administrators and Extranet User Managers".


To add a custom filter, enter the URL which should be blocked in the Secure additional URL field.

Then, click on the Add button.


The base URL and the context path are already inserted, so you can omit them.

For example: Instead of http://yourinstance.com/confluence/browsepeople.action you can enter browsepeople.action.




Certain URLs cannot be blocked, as they may break your Confluence instance.


Those URLs are:

  • /admin/*
  • /download/*
  • /images/*
  • /plugins/servlet/upm


If you block any of these URLs, the user will see a "404 - Page not found" error (instead of a "No Permission" error). This way no information is exposed about the existence of a function within your instance.





Use a wildcard

To block several extensions with the same URL base you may use wildcards (asterisks).

For example if you enter /plugin/example*, all of the the following URLs will be blocked:

  • /plugin/example
  • /plugin/example/page
  • /plugin/example/page/childpage


These URLs will NOT be blocked:

  • /plugin/extra
  • /plugin/extra/page



Username placeholders

Some URLs contain a dynamic username (e.g. to fetch data for a specific user). In this case you can add a placeholder in the URL mask and the app will check if you are allowed to see the specified user. If it's not the case, the app will block the content.

Add the key word {username} into your URL.

For example if you enter /plugin/sensitivedata/{username} the app will check visibility restrictions for the actual value in place of {username}.

Let's say the visited URL ends in /plugin/sensitivedata/extranetuser1. If the visitor is not allowed to see this user, the content will be blocked.

You can also use query parameters, like /plugin/userdata?username={username}. You can check the visibility for a specific user - for example when you go to the URL ending with /plugin/userdata?username=extranetuser1.