• Documentation

How secure are public links?

Public links allow teams to share individual Confluence pages and whiteboards with people outside of Confluence without giving them access to Confluence. This could be useful for sharing information to the public, like customer FAQs, release notes, shareholder letters, and more.

On this page, you’ll learn how public links work and, in particular, how secure they are.

If you’re an admin looking for guidance on how to get started with public links, go to Control whether spaces can allow public links.

If you’re looking for help on how to actually share individual pages and whiteboards, go to Share content externally with public links.

Public links are only available on Confluence’s paid plans (Standard, Premium, and Enterprise). Only Confluence pages and whiteboards can have public links, not any other type of Confluence content (e.g., blogs, databases, etc.).

Anyone on the internet with the public link can view its content.

Public links ignore restrictions on who can view content in Confluence.

Normally, Confluence content obeys view restrictions inherited all of its higher-level containers — any parent content, the space, and the site itself. However, the public link will just work. Anyone on the internet who has the content item’s public link can use it to view the safe, view-only version of the page.

Again, this means restricting a parent item won’t have any effect on who can view the public link of a child item.

Atlassian has taken all necessary steps in its capability to make sure search engines do not index our public links.

This means that public links are not indexed by search engines, which means no one will be able to find the public link in a Google search. They need the actual public link.

If you turn a public link off, anyone using it to try to access the content will get a message saying the content can’t be found. But if you later turn the public link back on, people who already have the public link will again be able to access the content because it’s the same link as before.

Public links are controlled at 3 levels:

  1. In Global permissions, product admins can control whether the site should allow the use of public links. Allowing public links on the site doesn’t itself make anything public. It simply offers users on the site the option of turning on a public link for any content.

  2. In Space permissions, product and space admins can control whether a specific space should allow the use of public links. Public links must be allowed on the site first. Like the global setting, allowing public links in a space doesn’t itself make anything public. It simply offers users in the space the option of turning on public links.

  3. On specific content items, users can turn on or off a public link as long as they can edit the content and as long as public links are allowed by an admin. A user who can view a content item but not edit can still copy a public link that’s already on and share it with anyone on the internet.

In the Public links tab of Global permissions, product admins will find a list of all the spaces on their site, see whether a space allows or doesn’t allow public links, and make changes.

Product admins on the Premium plan can block space admins from allowing public links in spaces, block them preemptively while the global public links toggle is off, and multi-select to stop allowing, allow, or block from allowing in bulk.

To learn more about managing public links as a product admin, go to Control whether spaces can allow public links.

In the Public links tab of Space permissions, space admins will find a list of all the active public links in their space. They can turn off or block any active public link. On the Premium plan, they can multi-select to turn off or block in bulk.

Product admins on the Premium plan can block space admins from allowing public links in spaces, block them preemptively while the global public links toggle is off, and do so in bulk.

To learn more about managing public links as a product admin, go to Control whether spaces can allow public links.

Control for organization admins to use security policies to control public links is coming soon!

Alongside robust management functionality, Confluence will notify you of key public links activity to keep you on top of which content is shared publicly.

How product admins stay notified

As a product admin, you’ll be notified whenever someone allows public links for the entire site (changes the global toggle). Product admins can also choose to be notified whenever anyone turns on a public link anywhere on your site.

To stop receiving public links notifications as a product admin:

  1. Select your profile avatar in the top right of the top nav.

  2. Select Settings.

  3. Select Email in the sidenav.

  4. Select Edit.

  5. Uncheck Notify me when someone allows the use of public links on this site, and/or uncheck Notify me when someone turns on a public link.

How space admins stay notified

As a space admin, you’ll be notified whenever someone allows public links in your space (changes the space toggle) and whenever anyone turns on a public link in your space.

To stop receiving public links notifications as a space admin:

  1. Select your profile avatar in the top right of the top nav.

  2. Select Settings.

  3. Select Email in the sidenav.

  4. Select Edit.

  5. Uncheck Notify me when someone allows the use of public links in my spaces, and/or uncheck Notify me when someone turns on a public link in my space.

Confluence allows public links by default but no public links will actually be on by default. People will have to manually turn them on, where allowed.

Type of control

Allowed/On by default?

Site-level control in global permissions

Allowed

Space-level control

Allowed

Content-level control

Off

Defaults may differ depending on date of site creation
If your site was created before October 16, 2023, the global public links toggle will be off until you choose to turn it on.

If your site was created on or after October 16, 2023 — including sites migrating to Confluence Cloud — the global public links toggle will be on. Because all spaces will allow public links by default, this also means all spaces on your site will be allowing public links from the time you created the site. You’ll have to turn the global toggle off to stop allowing public links on your site.

Any time a product admin allows public links on their site by turning the global toggle from an off to an on position, all spaces will automatically and immediately move to an “allowed” status, regardless of any prior setting. No status will be remembered from before.

To be clear, this means users in any space that shouldn’t ultimately allow public links will be able to turn a public link on until an admin manually stops allowing public links in that space.

Upgrading from Free to paid plans will trigger these defaults

Public links aren’t available on the Free plan. Upgrading makes them available and will trigger these defaults. This means that, although no public links will be on immediately, people on your site will be free to use public links in all spaces on your site the moment you upgrade.

What protections are in place to avoid accidental sharing?

We know it’s critical to have complete control and awareness over any public sharing functionality. Confluence equips both admins and end users with plenty of protection navigating this feature.

Some spaces shouldn’t allow public links. Admins can simply toggle off the ability for users in a specific space to use public links.

Product and organization admins can control whether public links should be allowed or not allowed in any new spaces created. By default, public links will be allowed in all new spaces created.

To change whether new spaces created should allow public links:

  1. Select the gear icon in the top right to go to product settings.

  2. Select Space permissions.

  3. In the Public links section, select the toggle that controls whether new spaces should allow public links.

Confirmation messages prevent mistakes

Whenever an admin wants to allow public links on the site or in a space, they’ll be informed exactly what the effect of their action is — that it will allow users to turn on public links.

Likewise, whenever an end user tries to turn on a public link, they’ll be informed exactly what the effect of their action is:

  • It will make the public link active and available to be copied and shared by anyone who can view the page.

  • Anyone on the internet who already has the content item’s public link will be able to view the public version of it, even if no one re-shares the public link with them.

UI indicators show when content is public

Confluence employs a number of indicators in the UI to mark content that’s currently being shared publicly. This helps you and your team understand which content is public at key points in your workflow, such as when editing public content, and prevent sharing the wrong information with the wrong people.

The public link toggle on content items will appear grayed out, turned off, and disabled in any situation where the item’s public link isn’t allowed. This could be when:

  • The public link is specifically blocked by an admin.

  • Public links aren’t allowed in the space.

  • Public links aren’t allowed on the site.

All public links actions (with the exception of copying and sharing public links) are captured in the audit log. Whenever someone turns a public link on or off, a space admin allows public links in their space, or product admin allows public links for the site, it will be recorded.

If your site allows people with certain email domains to join or request access to your site, they will be able to do so from any public link. Learn more about how to control how users get access to Confluence.

What is hidden from visitors?

Visitors to a public links will see a safe, view-only version of the content that hides the internal Confluence UI and any other content but the public link.

Visitors can’t:

  • Edit the content

  • Leave comments

  • View comments

  • View the Confluence navigation

  • View the content tree and breadcrumbs

  • View most macros, including those that contain data outside of the shared content, and all third party macros

Public visitors can only view the following macros:

All other macros are not viewable in the view-only version of the content.

Still need help?

The Atlassian Community is here for you.