Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Besides using xss api is there a recommended way of implementing content security policy headers in AEM?

Avatar

Level 3
Level 3
6/18/18 8:47:25 AM

Content Security Policies and the Experience Cloud ID Service

Content Security Policy (CSP) - HTTP | MDN

In the above links and recommendations, whitelisting urls and scripts is a standard way of implementing CSP but is there a recommendation for implementing a CSP in AEM and would like to know if someone implemented and help me in implementing one.

-Sanjay

Views

1.8K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/18/18 9:03:58 AM

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

View solution in original post

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/18/18 9:03:58 AM

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
2/25/19 6:13:10 PM

Hi Jorg,

To implement CSP  at dispatcher level,can  we use mod_headers like below :

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' fonts.googleapis.com  maxcdn.bootstrapcdn.com www.google.com www.youtube.com code.jquery.com www.googletagmanager.com"

Hence I included the libraries(example) which I  want to be NOT blocked.

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM 6.5.21 link invalid Solved

Views

85

Likes

0

Replies

2
How to obtain list of child components models in parent component sling model?

Views

108

Likes

0

Replies

5
Filters in AEM Collections

Views

57

Likes

0

Replies

0
Integrating mobile App testing tools with AEM

Views

58

Likes

0

Replies

1
Add type="module" to the script tag when AEM introduces JS

Views

72

Likes

0

Replies

2