Sling referrer filter - question on allow.empty and allow.hosts.regexp

Question

if allow.empty is enabled BUT I have entries in allow.hosts.regexp, is my instance still limited to the hosts lin the allow.hosts.regexp list or will the instance accept any request coming from anywhere? Thanks!

AmitVishwakarma · Accepted Answer

Hi @jayv25585659 ,Here's how the behavior works in AEM:Allow Empty = trueThis allows requests with no Referer header to be accepted.This is helpful for requests from scripts, tools, or environments that don't set a Referer.Allow Hosts RegexpThis applies only when the Referer header is present.AEM checks the Referer against the list of regular expressions you’ve defined.If the Referer matches, the request is allowed.If not, it’s blocked.So to directly answer your question:If allow.empty=true but I have entries in allow.hosts.regexp, is my instance still limited?No — your instance will accept requests:Without a Referer → allowed (because allow.empty = true)With a Referer → allowed only if it matches allow.hosts.regexpRecommendation for Security:If your goal is to enforce domain-level restrictions, consider:Setting allow.empty = false in production to prevent anonymous tools/scripts from bypassing the Referer check.Making sure allow.hosts.regexp is tight and matches only trusted domains.Regards,Amit

ShivamKumar · Answer

Hi @jayv25585659 ,If allow.empty=true, AEM will allow requests with no Referer header regardless of what's in allow.hosts.regexp. But if a Referer header is present, it must match the allow.hosts.regexp pattern to be accepted.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded