Expand my Community achievements bar.

SOLVED

AEM Perf testing | CSRF token issue

Avatar

Level 2

Hi All,

 

AEM site is interacting with external site for some operation. During performance testing external site endpoint is is changed and application is redirected to new endpoint(modified endpoint). I want to restrict this behavior in AEM so that only valid domain/site will be allowed to interact from the AEM site.

I tried 'Apache Sling Referrer Filter' & csrf token and dispatcher token header. Will this solution work? Please advise something that can be controlled through AEM.

 

Which will be best and recommended approach?

 

Thanks,

Pradeep

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi @pradeepd1320668,

You are following the correct recommendation to restrict access to only allow valid endpoints. Configuring Apache sling referrer filter would help here, see this https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...for more details.

 

Also you can add some filter rules at dispatcher to directly block such requests reaching AEM. The Dispatcher filter can be used to allow or deny external access to specific areas of AEM. To protect our instance we should configure the Dispatcher to restrict external access as far as possible. First we should deny access to all files and then allow/deny access to specific areas. Example

/filter {
/0001 { /glob "*" /type "deny" }
/0002 { /type "allow" /url "/libs/cq/workflow/content/console*" }
/0003 { /type "deny" /url "/libs/cq/workflow/content/console/archive*" }
}
 
 
Thanks!!

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

Hi @pradeepd1320668,

You are following the correct recommendation to restrict access to only allow valid endpoints. Configuring Apache sling referrer filter would help here, see this https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...for more details.

 

Also you can add some filter rules at dispatcher to directly block such requests reaching AEM. The Dispatcher filter can be used to allow or deny external access to specific areas of AEM. To protect our instance we should configure the Dispatcher to restrict external access as far as possible. First we should deny access to all files and then allow/deny access to specific areas. Example

/filter {
/0001 { /glob "*" /type "deny" }
/0002 { /type "allow" /url "/libs/cq/workflow/content/console*" }
/0003 { /type "deny" /url "/libs/cq/workflow/content/console/archive*" }
}
 
 
Thanks!!

Avatar

Level 2
CSRF security checklist is already followed in dispatcher. Issue still exist. Is it possible in AEM to restrict the site interaction to certain domains only? Lets say site1 can interact with site2 and site3. If there is a request from site1 to site4 it can get rejected. Adding domain in 'Apache Sling Referrer filter' section is not helping here.