AEM Security | Community
Skip to main content
N
nsvsrk
Level 8
September 10, 2024
Solved

AEM Security

  • September 10, 2024
  • 1 reply
  • 754 views

Hi all,

 

Adobe AEM handles many security aspects out of box.

Also as developers/architects we need to take care of some.

 

Please list some of:

1. Security aspects AEM handles out of box and how. 

Ex: Sightly handles XSS.

May be AEM uses a special product/library/package for this.

 

2. Those that the developers/architects should take care.

Whether in code as well as configurations.

Ex: Data encryption. Both static and in transit.

 

I highly appreciate all your replies.

 

Thanks,

RK.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by EstebanBustamante

Hi,

 

This is an open question, so here are my two cents:

AEM generally addresses typical security issues such as DoS, DDoS, CSRF, XSS, etc., through various built-in configurations. Here are some details:

  • Cross-Site Scripting (XSS) Protection: AEM mitigates XSS vulnerabilities by filtering all user-supplied content upon output using the AntiSamy Java™ Library provided by OWASP. The default configuration for this library can be found at /libs/cq/xssprotection/config.xml, which can be customized to meet specific needs. In most cases, the default configuration is sufficient. Adobe also recommends using the XSSAPI provided by AEM for accessing XSS protection features.

  • Session Management: AEM follows the principle of least privilege by ensuring that all repository access is conducted using a session bound to the user request.

  • Protection Against Cross-Site Request Forgery (CSRF): AEM includes mechanisms to protect against CSRF attacks.

  • Access to Cloud Service Information: When integrating with Adobe Experience Cloud, AEM manages ACLs for Cloud Service Information and OSGi settings as part of Production Ready Mode.

  • CORS

  • WAF,
  • ModSecurity which is an Apache module
  • Traffic rules at the CDN layer

Regarding security aspects that developers and architects should handle, these responsibilities often align with the configurations mentioned above, as some settings need to be tailored to specific requirements. Beyond these, standard security practices such as writing secure code and following good development practices should also be applied.

 

You can read more about this topic here:

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understanding-dos-and-prevention-approaches 

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/introduction/security 

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security-checklist#protect-against-cross-site-request-forgery

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understand-cross-origin-resource-sharing  

https://axamit.com/glossary/aem/security-best-practices/ 

 

Hope this helps, 

1 reply

EstebanBustamante
Community Advisor and Adobe Champion
EstebanBustamanteCommunity Advisor and Adobe ChampionAccepted solution
Community Advisor and Adobe Champion
September 10, 2024

Hi,

 

This is an open question, so here are my two cents:

AEM generally addresses typical security issues such as DoS, DDoS, CSRF, XSS, etc., through various built-in configurations. Here are some details:

  • Cross-Site Scripting (XSS) Protection: AEM mitigates XSS vulnerabilities by filtering all user-supplied content upon output using the AntiSamy Java™ Library provided by OWASP. The default configuration for this library can be found at /libs/cq/xssprotection/config.xml, which can be customized to meet specific needs. In most cases, the default configuration is sufficient. Adobe also recommends using the XSSAPI provided by AEM for accessing XSS protection features.

  • Session Management: AEM follows the principle of least privilege by ensuring that all repository access is conducted using a session bound to the user request.

  • Protection Against Cross-Site Request Forgery (CSRF): AEM includes mechanisms to protect against CSRF attacks.

  • Access to Cloud Service Information: When integrating with Adobe Experience Cloud, AEM manages ACLs for Cloud Service Information and OSGi settings as part of Production Ready Mode.

  • CORS

  • WAF,
  • ModSecurity which is an Apache module
  • Traffic rules at the CDN layer

Regarding security aspects that developers and architects should handle, these responsibilities often align with the configurations mentioned above, as some settings need to be tailored to specific requirements. Beyond these, standard security practices such as writing secure code and following good development practices should also be applied.

 

You can read more about this topic here:

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understanding-dos-and-prevention-approaches 

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/introduction/security 

https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security-checklist#protect-against-cross-site-request-forgery

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understand-cross-origin-resource-sharing  

https://axamit.com/glossary/aem/security-best-practices/ 

 

Hope this helps, 

Esteban Bustamante
    Terms & ConditionsAccessibility statement

    Loading footer...