Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM Perf testing | CSRF token issue

Avatar

Level 2
Level 2
8/21/20 5:31:10 AM

Hi All,

 

AEM site is interacting with external site for some operation. During performance testing external site endpoint is is changed and application is redirected to new endpoint(modified endpoint). I want to restrict this behavior in AEM so that only valid domain/site will be allowed to interact from the AEM site.

I tried 'Apache Sling Referrer Filter' & csrf token and dispatcher token header. Will this solution work? Please advise something that can be controlled through AEM.

 

Which will be best and recommended approach?

 

Thanks,

Pradeep

Views

1.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
8/21/20 6:02:55 AM

Hi @pradeepd1320668,

You are following the correct recommendation to restrict access to only allow valid endpoints. Configuring Apache sling referrer filter would help here, see this https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...for more details.

 

Also you can add some filter rules at dispatcher to directly block such requests reaching AEM. The Dispatcher filter can be used to allow or deny external access to specific areas of AEM. To protect our instance we should configure the Dispatcher to restrict external access as far as possible. First we should deny access to all files and then allow/deny access to specific areas. Example

/filter {
/0001 { /glob "*" /type "deny" }
/0002 { /type "allow" /url "/libs/cq/workflow/content/console*" }
/0003 { /type "deny" /url "/libs/cq/workflow/content/console/archive*" }
}
 
 
Thanks!!

View solution in original post

Views

1.3K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Employee
Employee
8/21/20 6:02:55 AM

Hi @pradeepd1320668,

You are following the correct recommendation to restrict access to only allow valid endpoints. Configuring Apache sling referrer filter would help here, see this https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...for more details.

 

Also you can add some filter rules at dispatcher to directly block such requests reaching AEM. The Dispatcher filter can be used to allow or deny external access to specific areas of AEM. To protect our instance we should configure the Dispatcher to restrict external access as far as possible. First we should deny access to all files and then allow/deny access to specific areas. Example

/filter {
/0001 { /glob "*" /type "deny" }
/0002 { /type "allow" /url "/libs/cq/workflow/content/console*" }
/0003 { /type "deny" /url "/libs/cq/workflow/content/console/archive*" }
}
 
 
Thanks!!

Views

1.3K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
9/1/20 4:48:00 AM
In response to vanegi
CSRF security checklist is already followed in dispatcher. Issue still exist. Is it possible in AEM to restrict the site interaction to certain domains only? Lets say site1 can interact with site2 and site3. If there is a request from site1 to site4 it can get rejected. Adding domain in 'Apache Sling Referrer filter' section is not helping here.

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
RTE full options not appearing in minimized view AEM 6.5 cloud Solved

Views

166

Likes

0

Replies

4
I have a component based on show-hide in AEM. can any one help on this

Views

41

Likes

0

Replies

1
HTL tags issue

Views

71

Likes

0

Replies

4
AEM dispatcher not serving page from publisher

Views

75

Likes

0

Replies

1
Redirects do not work with x-aem-client-country header

Views

141

Likes

0

Replies

2