AEM Perf testing | CSRF token issue

Question

Hi All,

AEM site is interacting with external site for some operation. During performance testing external site endpoint is is changed and application is redirected to new endpoint(modified endpoint). I want to restrict this behavior in AEM so that only valid domain/site will be allowed to interact from the AEM site.

I tried 'Apache Sling Referrer Filter' & csrf token and dispatcher token header. Will this solution work? Please advise something that can be controlled through AEM.

Which will be best and recommended approach?

Thanks,

Pradeep

vanegi · Accepted Answer

Hi @pradeepd1320668,You are following the correct recommendation to restrict access to only allow valid endpoints. Configuring Apache sling referrer filter would help here, see this https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checklist.html#protect-against-cross-site-request-forgery for more details. Also you can add some filter rules at dispatcher to directly block such requests reaching AEM. The Dispatcher filter can be used to allow or deny external access to specific areas of AEM. To protect our instance we should configure the Dispatcher to restrict external access as far as possible. First we should deny access to all files and then allow/deny access to specific areas. Example/filter {/0001 { /glob "*" /type "deny" }/0002 { /type "allow" /url "/libs/cq/workflow/content/console*" }/0003 { /type "deny" /url "/libs/cq/workflow/content/console/archive*" }}  Thanks!!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded