Manage access to external sites
An external site is an Atlassian cloud site that exists outside your organization and is owned and managed by another organization.
Who can do this? |
How external sites are managed
You might want to prevent your users from accessing certain external sites, even if they’ve been given access to them. This helps prevent data exfiltration by ensuring users can access only authorized sites while connected to your organization’s network.
External site access is controlled through a policy, plus a header injection in all outgoing HTTPS requests sent to Atlassian. The header injection tells Atlassian which sites your users can access. The policy accepts external Atlassian cloud sites only. Validation will prevent you from adding:
sites that don’t use the Atlassian infrastructure
sites that are part of your Atlassian-run organization
sites that are considered ‘well-known’ Atlassian sites
These sites are always accessible, regardless of your policy configuration.
The following Atlassian sites are considered ‘well-known’:
atlassiansupport.atlassian.net
Although you don’t need to add well-known Atlassian sites to your external sites policy, the following Atlassian domains still require the header injection for HTTPS traffic:
Domain pattern | Coverage | Examples of included sites |
|---|---|---|
| All your Atlassian-managed sites and ‘well-known’ sites |
|
| All Jira-specific Atlassian sites |
|
| All Atlassian-owned sites |
|
To summarize, the following table provides examples of how requests are treated, based on your system configuration.
Scenario when user sends request | Outcome | Description |
|---|---|---|
| Allowed | Request proceeds normally |
| Blocked | HTTP 403 returned |
| Allowed | Request proceeds normally |
| Allowed | Request proceeds normally |
| Unrestricted | No enforcement applied |
| Unrestricted | No enforcement applied |
| Unrestricted | No enforcement applied |
Tips before you start
Your network infrastructure must perform TLS inspection (SSL decryption) on Atlassian domains because the header must be injected into HTTPS traffic. Header injection is not possible without TLS inspection in place.
Before you change your proxy or firewall, verify the header injection and enforcement behavior using a browser extension, such as Modify Header Value, which lets you inject arbitrary request headers directly from your browser to verify the end-to-end flow of your policy without any network infrastructure changes.
External site access restrictions don't apply to managed user accounts (such as account-based enforcement that applies regardless of network location). What are managed accounts? | Atlassian Support
Quick start guide to configuring external sites management
To get started with managing external sites access, perform these three steps:
Step 1: Create a draft policy.
Step 2: Configure your network infrastructure with the policy header.
Step 3: Activate your policy.
Step 1: Create a draft policy
You can use an external sites policy to block some or all external sites.
For individual external sites, you can enter their URLs with or without their protocols. Each time you enter a URL, we’ll check that the URL is a valid Atlassian cloud site that’s external to your organization. This ensures all URLs are valid before you save your list. You can also update this list later if you need to.
To specify some or all external sites to allow:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
Select Create policy to open the two-step workflow.
In the Name field, enter a name for your policy.
In the Sites section, select whether you wish to block all external sites, or allow a selection of external sites.
If you chose to use a selection of external sites, type each external site URL, and press the Enter key after each URL before typing the next one.
Select Create to continue to step two of the workflow.
Select Copy to copy your header key. You will need this for your header injection.
Select Close.
Your external sites policy will be displayed as a draft on your screen, and is not yet activated.
Test your policy (optional)
We strongly recommend verifying that your policy will work as expected on your network infrastructure through testing. To test it, you will need to temporarily activate your policy.
Make sure you’re still viewing your policy in Atlassian Administration.
Select Activate policy to display a final confirmation, then select Activate.
Use your preferred browser extension to inject the request header. If you’re not sure how to do this, follow the instructions provided by the browser extension.
Test that your policy works as expected, and when you’re ready, return to your policy in Atlassian Administration.
Select Deactivate policy to display a final confirmation, then select Deactivate policy.
Step 2: Configure your network infrastructure with the policy header
Your active policy won’t function until you’ve configured your network infrastructure, such as a proxy, firewall, or Secure Access Service Edge (SASE) platform. Your network infrastructure must inject the Atl-Tenant-Restriction-Policy header into all outgoing HTTPS requests sent to Atlassian. This tells Atlassian which policy to apply to your users' requests.
The header is available from your external sites policy. It contains your org ID and policy ID in a well-formed format ( Atl-Tenant-Restriction-Policy: {orgId}:{policyId} ), so no further manipulation is needed.
To configure your network infrastructure with the policy header:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, locate the policy you wish to use and check its status is set to Active.
From the More actions (•••) menu, select View header key.
Select Copy to copy your header key, then Done.
If you haven’t already tested your policy, follow the instructions earlier on this page.
Open your company’s network configuration and navigate to your header insertion settings.
Paste the header key in the appropriate place, then save your changes.
Repeat steps 6 to 7 for each Atlassian domain listed in the table on this page.
Verify your configuration to check everything is working as expected.
Your network configuration is now complete. It won’t do anything until you activate your policy.
Step 3: Activate your policy
When you’re satisfied that your header injection work is complete and correct, you’re ready to activate your policy. You can deactivate it at any time, if required.
To activate your policy:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, select the name of the policy you wish to activate to open it.
Select Activate policy to display a final confirmation, then select Activate.
The status of your external sites policy will be updated to Active.
Manage your external site access policies
Your header key relates to your organization and policy, so any changes you make to it don’t change the header key. This means you can change a policy without having to reconfigure your network infrastructure. However, if you decide to create another policy, it will have a different header key. Only one policy can be active at any time.
Add or remove external sites from a policy
You can add and remove external sites from an existing policy by editing the policy.
If your policy blocks all external sites, you can still convert it to a policy that allows just a selection. When you add an external site URL to the policy, the default of ‘block all’ is removed, and the only allowed external site is the URL you added.
If your policy allows a selection of external sites, you can convert it to a policy that blocks all external sites. When you remove all external site URLs from the list of allowed sites, the default of ‘block all’ is reinstated, and all external sites are blocked.
To add or remove external sites from a policy:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, select the name of the policy you wish to update to open the policy.
To add an external site:
Select Add external site.
Enter the site URL, then press the Enter key.
Select Add.
To delete an external site:
Locate the external site you wish to delete.
Select Delete, which will display a final confirmation.
Select Remove to confirm the deletion.
Locate your policy header key
Your policy header key is stored with the policy details.
To locate your policy header key:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, find the target policy, then from the More Actions (•••) menu, select View header key.
You can view your key and copy it to your clipboard from here.
Deactivate a policy
You can deactivate a policy without deleting it. This might be useful if you need to temporarily deactivate for any reason.
To deactivate and reactivate a policy:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, select the name of the policy you wish to update to open the policy.
Select Deactivate policy to display a final confirmation, then select Deactivate policy.
The policy is now deactivated. You can reactivate it at any time.
Delete a policy
You can delete a policy in two places — from the list of policies, or from the the open policy screen.
To delete a policy:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Device security > External sites.
From your policy list, either:
Select the name of the policy you wish to update to open the policy, then from the More Actions (•••) menu, select Delete policy, then Delete from the confirmation.
From the More Actions (•••) menu, select Delete, then Delete from the confirmation.
The policy will be deleted and cannot be reinstated.
Limitations
Content surfaced via Atlassian Home
When a user goes to Atlassian Home (home.atlassian.com), the app switcher will still show all sites they’ve been given access to, regardless of any blocked external sites in your policy list. Most importantly:
They won’t be able to access those sites from the app switcher.
They may be able to retrieve and surface content from those sites through other tools, such as Rovo.
Atlassian mobile apps
Atlassian mobile apps use certificate pinning. If you enable TLS inspection (SSL encryption), which is required for blocking external sites, the apps will stop working.
Was this helpful?