Word Count for Confluence — Security Information
This document describes the security posture of Word Count for Confluence, the Atlassian Marketplace app. It is intended for security reviewers at customer organisations evaluating Word Count for Confluence for installation.
Platform
Word Count for Confluence is built entirely on Atlassian Forge, Atlassian's hosted application platform. Word Count for Confluence operates no third-party servers and runs no code outside Atlassian's network. No End-User Data is transmitted outside Atlassian's infrastructure.
What this means in practice
- Every function call executes in Atlassian's sandboxed Node 24 runtime
- Every storage write goes to Forge Key Value Store (encrypted at rest, AES-256, Atlassian-managed)
- Every outbound network call is whitelisted in the Forge manifest and proxied through Atlassian
- The app cannot run code on your servers or your users' machines
Permissions
Word Count for Confluence requests two read-only Atlassian scopes:
| Scope | Reason |
|---|---|
read:page:confluence |
Read the body of the current page (ADF) so word/character/reading-time counts can be computed |
read:content-details:confluence |
Read minimal content metadata where needed for context |
That is the complete scope list. The app requests no write scopes, no administrative scopes, no user scopes, no storage scopes, no outbound network scopes, and no Confluence space-level scopes.
The app does not request external network egress. No host appears in permissions.external.fetch because the app never calls any external host.
Authentication
The app uses one authentication pattern, Forge asUser(), for fetching the page body.
Forge asUser() (read page body)
When a Confluence page is rendered, the app's resolver (or dynamicProperties handler) is invoked by Forge with the signed-in viewer's identity. The resolver calls requestConfluence(route\/wiki/api/v2/pages/${contentId}?body-format=atlas_doc_format`)withasUser()`, so Atlassian's identity platform authorises the read against the viewer's own page-read permissions. If the viewer cannot read the page, the call fails and the app surfaces an inline error inside the byline panel — the app cannot read pages the viewer themselves cannot read.
There are no other authentication paths. The app does not use asApp(), does not consume customer-supplied API keys, and does not store any credentials anywhere.
Secret handling
None. Word Count for Confluence stores no secrets, no API keys, no OAuth tokens, no client credentials, and no encryption keys. The app has no kvs.setSecret() calls, no @forge/kvs usage of any kind, and no settings panel to enter credentials.
There is nothing to rotate, revoke, or audit on the secrets side — because there are no secrets.
Account actions
None. Word Count for Confluence never writes to any account, page, group, or storage. It has no write scopes (see Permissions). It cannot delete, suspend, reclaim, or modify anything — including the user's own data, the page being viewed, or any other Confluence content.
The app's interaction with the Atlassian platform is exhaustively:
- Receive an invocation when a page is rendered
- Read the page body via
asUser() - Compute counts in memory
- Return counts to the byline UI
There is no fourth step. There is no audit log because there is no action to audit.
Counting logic and zero-egress guarantees
All word/character/reading-time/section computations are performed by pure TypeScript functions in src/lib/ running inside the Forge sandbox. These functions:
- Have no Forge API calls inside them (enforced by code review and TDD)
- Have no network calls of any kind
- Have no I/O other than receiving a string and returning a number/object
The lib/ functions are unit-tested with Vitest (55 tests, all passing). Forge I/O (page fetch, runtime context extraction) is isolated in src/resolvers/ and is itself the thinnest possible shell over requestConfluence. The "Exclude macros & embeds" toggle is processed entirely in-memory by lib/stripMarkup.ts; the macro content is never sent or stored regardless of the toggle's state.
There is no AI, no analytics, no telemetry, no error reporting service, and no third-party SDKs of any kind embedded in this app. The Marketplace security review for this app is intentionally trivial: there is nothing to review because nothing leaves the runtime.
Vulnerability reporting
Security vulnerabilities can be reported to security@taskhooker.com. We commit to acknowledging reports within 5 business days and disclosing patches via the Marketplace "What's new" section.
Word Count for Confluence is a solo-developer product. We do not currently operate a paid bug bounty programme.
Compliance
Word Count for Confluence inherits the security and compliance posture of the underlying Atlassian Forge platform. Atlassian Forge is certified under:
- SOC 2 Type II
- ISO 27001 / 27017 / 27018
- PCI-DSS (for the platform itself; Word Count for Confluence does not handle payment data)
- GDPR and CCPA compliance commitments
Word Count for Confluence itself does not have independent certifications. The app code is reviewed by Atlassian as part of the Marketplace listing approval process.
Audit & change history
For your records, every code change to Word Count for Confluence is reflected in the What's new section of the Marketplace listing for each version. The Marketplace partner portal also exposes a full version history for compliance audits.