SOLVED
AEM Security
1 Accepted Solution
Correct answer by
Hi,
This is an open question, so here are my two cents:
AEM generally addresses typical security issues such as DoS, DDoS, CSRF, XSS, etc., through various built-in configurations. Here are some details:
-
Cross-Site Scripting (XSS) Protection: AEM mitigates XSS vulnerabilities by filtering all user-supplied content upon output using the AntiSamy Java™ Library provided by OWASP. The default configuration for this library can be found at
/libs/cq/xssprotection/config.xml, which can be customized to meet specific needs. In most cases, the default configuration is sufficient. Adobe also recommends using the XSSAPI provided by AEM for accessing XSS protection features. -
Session Management: AEM follows the principle of least privilege by ensuring that all repository access is conducted using a session bound to the user request.
-
Protection Against Cross-Site Request Forgery (CSRF): AEM includes mechanisms to protect against CSRF attacks.
-
Access to Cloud Service Information: When integrating with Adobe Experience Cloud, AEM manages ACLs for Cloud Service Information and OSGi settings as part of Production Ready Mode.
-
CORS
- WAF,
- ModSecurity which is an Apache module
- Traffic rules at the CDN layer
Regarding security aspects that developers and architects should handle, these responsibilities often align with the configurations mentioned above, as some settings need to be tailored to specific requirements. Beyond these, standard security practices such as writing secure code and following good development practices should also be applied.
You can read more about this topic here:
https://axamit.com/glossary/aem/security-best-practices/
Hope this helps,
Esteban Bustamante
Correct answer by
Hi,
This is an open question, so here are my two cents:
AEM generally addresses typical security issues such as DoS, DDoS, CSRF, XSS, etc., through various built-in configurations. Here are some details:
-
Cross-Site Scripting (XSS) Protection: AEM mitigates XSS vulnerabilities by filtering all user-supplied content upon output using the AntiSamy Java™ Library provided by OWASP. The default configuration for this library can be found at
/libs/cq/xssprotection/config.xml, which can be customized to meet specific needs. In most cases, the default configuration is sufficient. Adobe also recommends using the XSSAPI provided by AEM for accessing XSS protection features. -
Session Management: AEM follows the principle of least privilege by ensuring that all repository access is conducted using a session bound to the user request.
-
Protection Against Cross-Site Request Forgery (CSRF): AEM includes mechanisms to protect against CSRF attacks.
-
Access to Cloud Service Information: When integrating with Adobe Experience Cloud, AEM manages ACLs for Cloud Service Information and OSGi settings as part of Production Ready Mode.
-
CORS
- WAF,
- ModSecurity which is an Apache module
- Traffic rules at the CDN layer
Regarding security aspects that developers and architects should handle, these responsibilities often align with the configurations mentioned above, as some settings need to be tailored to specific requirements. Beyond these, standard security practices such as writing secure code and following good development practices should also be applied.
You can read more about this topic here:
https://axamit.com/glossary/aem/security-best-practices/
Hope this helps,
Esteban Bustamante
