Security Policy
Last updated: June 2026
1. Architecture & Execution Environment
Confluence Macro Toolkit runs entirely on the Atlassian Forge platform — a sandboxed, serverless execution environment managed by Atlassian.
No custom backend servers. All resolver logic executes in Forge's sandboxed Node.js runtime. We do not operate any servers, databases, or infrastructure.
Sandboxed execution. Forge enforces strict isolation between apps. Our code cannot access other apps' data, file systems, or network beyond declared permissions.
Custom UI isolation. All macro UIs run in sandboxed iframes with strict Content Security Policy (CSP) headers enforced by Atlassian.
2. Network Security
| Encryption in transit | All communication uses TLS 1.2+ (enforced by Forge) |
| Encryption at rest | Forge Storage uses AES-256 encryption |
| Outbound connections | Only embed.diagrams.net and plantuml.com — both disabled by default |
| Inbound connections | None — no webhooks, no public endpoints |
| DNS/egress filtering | Forge restricts egress to declared domains in manifest.yml only |
3. Content Security Policy (CSP)
All Custom UI resources are served with Atlassian's strict CSP headers:
script-src 'self'— no inline scripts except those bundledstyle-src 'self' 'unsafe-inline'— required for Swagger UI renderingconnect-src— restricted to Forge bridge API onlyframe-src— onlyembed.diagrams.net(when enabled)
4. Authentication & Authorization
- No credentials stored. The App never handles user passwords or tokens
- Forge-managed auth. All API calls use Forge's built-in token management
- Admin-only settings. Macro toggle settings require Confluence admin privileges
- Scoped permissions. Follows least-privilege — no write access to page content or user management
5. Input Validation & XSS Prevention
- All user input (diagram code, poll options, markdown) is sanitized before rendering
- Markdown rendered with DOMPurify sanitization to prevent XSS
- Mermaid diagrams rendered via official library with SVG output (no innerHTML)
- Poll/mood inputs length-limited and character-restricted
- Forge bridge communication validates message origin
6. Supply Chain Security
- Open source. Full source code publicly auditable on GitHub
- Pinned dependencies. All npm packages use exact versions (package-lock.json)
- Minimal dependencies. Each macro bundles only what it needs
- No post-install scripts. Build process is deterministic and auditable
7. Vulnerability Reporting
Responsible Disclosure
If you discover a security vulnerability, please do not open a public GitHub issue.
Instead:
- Use GitHub's private vulnerability reporting feature on the repository
- Or email security@vectored.dev
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
8. Incident Response
- Security patches released as priority updates
- Affected users notified via GitHub release notes and Marketplace changelog
- Post-incident analysis published for critical vulnerabilities
9. Compliance
| SOC 2 | Inherited from Atlassian Forge infrastructure |
| GDPR | No personal data processed — see Privacy Policy |
| CCPA | No personal information sold or shared |
| Forge Security Review | Subject to Atlassian's Marketplace security scanning |