How does the Apache Sling Referrer Filter know the current host names? | Community
Skip to main content
AEM_Dan
AEM_Dan
Level 3
January 31, 2018
Question

How does the Apache Sling Referrer Filter know the current host names?

  • January 31, 2018
  • 2 replies
  • 2440 views

After some testing, I see the Referrer Filter is doing a good job blocking POST requests outside of the current environment using the default configuration ("Allow Hosts" is blank).  And the documentation states "By default, all variations of localhost and the current host names the server is bound to are in the white list."

But how is it even "aware" of the "the current host names the server is bound to?"  Our site URLs are VIPs that point to the dispatchers so I don't know how that gets passed down to the publish instances.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
January 31, 2018

The referrer check is a very simple check: It checks if the hostname of the referring page (HTTP header: referrer) is the same as the hostname in the HTTP host header.

There are exceptions for this rule as mentioned, so you can automate tasks from the same machine more easily.

Jörg

AEM_Dan
AEM_DanAuthor
Level 3
February 1, 2018

Thanks, I see that now.  I forgot that when the Dispatcher makes it's HTTP connection to the publish instance, it passes the end-user facing domain as the HTTP host header even though that would not resolve to the publish instance host.

Terms & ConditionsAccessibility statement

Loading footer...