What security measures should be taken care, when one AEM 6.5 publisher and dispatcher is placed outside FW | Community
Skip to main content
S
SmrithiGo
Level 4
November 3, 2025
Solved

What security measures should be taken care, when one AEM 6.5 publisher and dispatcher is placed outside FW

  • November 3, 2025
  • 4 replies
  • 325 views

Hi Team,

 

What security measures should be taken care, when one AEM 6.5 publisher and dispatcher is placed outside Firewall.

 

This is required for making it accessible to external customers, but I would like to know what are the security measure that we have to take care for this. 

Kindly suggest. Thanks. 

 

 

Best answer by muskaanchandwani

Hello @smrithigo 

Important Security Measures (Checklist) :

1. Deploy Dispatcher as a Security Layer
- Use Dispatcher in front of Publisher to filter requests and cache content.
- Always use the latest Dispatcher version.
- Run Dispatcher under a dedicated, least-privileged user.

2. Harden Dispatcher Configuration
- Deny all requests by default, then allow only necessary URLs (allowlist approach).
- Strictly restrict access to admin interfaces (CRXDE, OSGi Console, etc.).
- Only expose required endpoints for public content.
- Configure caching to cover only appropriate file types (e.g., .html, .js, .css, images).

3. Enforce HTTPS Everywhere
- Use HTTPS for all communication.
- Apply CA-signed certificates (not self-signed) and disable outdated protocols (e.g., SSLv3).

4. Protect Cache Operations
- Limit which clients can flush the Dispatcher cache (e.g., internal IPs only).

5. Prevent Common Security Risks
- Implement Cross-Site Request Forgery (CSRF) protection.
- Add security headers: X-FRAME-OPTIONS, Content-Security-Policy, X-Content-Type-Options, etc.
- Monitor and protect against DoS attacks through filters.

6. Firewalls and Network Segmentation
- Place Dispatcher and Publisher in a DMZ, isolated from the internal network.
- Use firewalls to control both external and internal traffic.

7. Restrict Access and Permissions
- Ensure repository permissions are set so only intended content is public.
- Disable or restrict unused consoles and services on Publish.

8. Monitor and Update Regularly
- Set up logging and alerts for suspicious activity.
- Regularly update all software components and run AEM security health checks.


References :
https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/getting-started/security-checklist
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/owasp-top10

4 replies

muskaanchandwani
Adobe Employee
muskaanchandwaniAdobe EmployeeAccepted solution
Adobe Employee
November 3, 2025

Hello @smrithigo 

Important Security Measures (Checklist) :

1. Deploy Dispatcher as a Security Layer
- Use Dispatcher in front of Publisher to filter requests and cache content.
- Always use the latest Dispatcher version.
- Run Dispatcher under a dedicated, least-privileged user.

2. Harden Dispatcher Configuration
- Deny all requests by default, then allow only necessary URLs (allowlist approach).
- Strictly restrict access to admin interfaces (CRXDE, OSGi Console, etc.).
- Only expose required endpoints for public content.
- Configure caching to cover only appropriate file types (e.g., .html, .js, .css, images).

3. Enforce HTTPS Everywhere
- Use HTTPS for all communication.
- Apply CA-signed certificates (not self-signed) and disable outdated protocols (e.g., SSLv3).

4. Protect Cache Operations
- Limit which clients can flush the Dispatcher cache (e.g., internal IPs only).

5. Prevent Common Security Risks
- Implement Cross-Site Request Forgery (CSRF) protection.
- Add security headers: X-FRAME-OPTIONS, Content-Security-Policy, X-Content-Type-Options, etc.
- Monitor and protect against DoS attacks through filters.

6. Firewalls and Network Segmentation
- Place Dispatcher and Publisher in a DMZ, isolated from the internal network.
- Use firewalls to control both external and internal traffic.

7. Restrict Access and Permissions
- Ensure repository permissions are set so only intended content is public.
- Disable or restrict unused consoles and services on Publish.

8. Monitor and Update Regularly
- Set up logging and alerts for suspicious activity.
- Regularly update all software components and run AEM security health checks.


References :
https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/getting-started/security-checklist
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/owasp-top10

    ManviSharma
    Adobe Employee
    ManviSharmaAdobe Employee
    Adobe Employee
    November 3, 2025

    Hello @smrithigo ,

     

    When one AEM 6.5 Publisher and Dispatcher are placed outside the internal firewall to make the site accessible to external users, it’s important to implement multiple layers of security to safeguard the environment. Below are the key security measures to consider:

    1. Dispatcher-Level Hardening

      • Allow only HTTP/HTTPS (ports 80/443).

      • Deny unsafe HTTP methods (PUT, DELETE, TRACE, CONNECT, OPTIONS).

      • Restrict access to sensitive AEM paths such as /libs, /apps, /system, /crx, /etc, /home, etc.

      • Enable host header validation and restrict allowed domains.

      • Cache only public content; exclude authenticated or restricted pages.

      • Use /allowedClients to limit flush and admin requests to internal IPs only.

    2. Publisher Security

      • Disable CRXDE Lite and OSGi consoles (/system/console).

      • Restrict anonymous access to only public content.

      • Use HTTPS for Author → Publisher replication with a dedicated service user.

      • Keep service packs updated and ensure minimal service user permissions.

    3. Network and Firewall

      • Place Dispatcher in the DMZ and Publisher behind it; do not expose Publisher directly.

      • Allow only inbound traffic to Dispatcher, and internal traffic from Dispatcher → Publisher.

      • Use HTTPS/TLS 1.2+ for all external communication.

      • Deploy a Web Application Firewall (WAF) and/or CDN for additional protection (XSS, SQLi, DDoS, etc.).

    4. Logging and Monitoring

      • Enable access and error logs at both Dispatcher and Publisher levels.

      • Integrate logs with SIEM tools (e.g., Splunk, ELK) for threat monitoring.

      • Configure rate limiting and request throttling where possible.

    5. General Best Practices

      • Follow Adobe’s official AEM 6.5 Security Checklist.

      • Perform regular security scans and penetration testing.

      • Review configurations periodically after releases or system changes.

    In short , keep the Dispatcher as the only public-facing component, secure it with WAF and HTTPS, and ensure the Publisher remains protected behind the firewall with strict access control.

    Regards,
    Manvi Sharma

      S
      SmrithiGoAuthor
      Level 4
      November 4, 2025

      @muskaanchandwani , Thanks again for all your suggestions. It is very helpful.

       

      Can you please explain in detail this part 

      In short , keep the Dispatcher as the only public-facing component, secure it with WAF and HTTPS, and ensure the Publisher remains protected behind the firewall with strict access control.

       

      This means, should we place publisher within the FW and only dispatcher outside FW,  so that external customers can access it? 

      S
      SmrithiGoAuthor
      Level 4
      November 4, 2025

      As a continuation to the previous comment, only the dispatcher is exposed outside FW and publisher is not. In that case, publisher will not be accessible directly by request coming from outside the FW.

      K
      kolluax
      Level 3
      February 9, 2026

      Hello ​@SmrithiGo  - We were in a similar position. I would recommend the below

      1. Resolve the domain that needs to be externalized to a CDN like Akamai, Cloudflare etc.this would give you piece of mind in case of any DDoS.
      2. Have all the allowed and expected patterns configured on this CDN layer, keep this in maintenance mode for the first few weeks.
      3. If there are any service calls from your form, use a gateway service like APIGEE etc to route them.
      4. Make sure your F5 is configured to only allow traffic from your CDN, this prevents any direct access.
      5. You can then as an additional security, harden your dispatcher filters to allow known requests.
      6. In our case, we did not place the publisher/dispatcher out of the firewall instead used CDN to route requests internally.

      Hope this helps !

       

      Thanks,

      Abhishek

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        February 17, 2026

        @SmrithiGo I wanted to follow up and see if your issue has been resolved. If you were able to find a solution—either from the responses above or on your own—we’d appreciate it if you could share the details for the benefit of others. Additionally, if any reply was helpful, marking it as accepted helps future members quickly identify effective solutions. Thank you for helping improve the community experience.

        Kautuk Sahni
        Terms & ConditionsAccessibility statement

        Loading footer...