Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.

API Security for AEM Publisher API's


Level 3


We are exposing HTML , CSS and JS to third party applications within same domain. Can you please suggest API security we can implement to prevent it from accessing . 

AEM by default is not allowing AJAX from other domain. But it can be accessed anywhere through browser directly.



Poovitha S


2 Replies


Community Advisor

The preferred way to put security If you are using Cloud version is to use token-based authentication: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/a... , and if you are using AEM on premise you should use oauth2.0: https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4...  

Esteban Bustamante


Community Advisor

Hello @PoovithaSelvaraj  -


Here are some security considerations that you may consider :


  • You can define appropriate user roles and permissions within AEM to ensure that only authenticated and authorized users can access the resources.


  • Additionally, you can also leverage AEM's integration with Adobe Identity Management (IMS) or other identity providers to enable secure user authentication and enforce access controls.


  • Implement API tokens or keys to authenticate requests made to your AEM instances. Generate unique tokens or keys for each authorized third-party application and require them to include the token or key in their requests. Use AEM's built-in security features or consider leveraging Adobe I/O Runtime (Adobe's serverless platform) to handle the token or key validation.


  • Configure CORS settings within AEM to control which domains are allowed to make AJAX requests to your AEM instances. Set appropriate CORS headers to restrict cross-origin requests and ensure that only authorized domains are allowed.


  • Utilize CSP (Content Security Policy) settings to define which domains are allowed to load your HTML, CSS, and JS resources. Specify trusted domains and restrict the execution of scripts or content from untrusted sources.


  • Ensure that TLS encryption is enforced for communication between AEM instances and third-party applications. Configure AEM to use HTTPS for secure communication and protect data in transit.