Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Besides using xss api is there a recommended way of implementing content security policy headers in AEM?

Avatar

Level 3

Content Security Policies and the Experience Cloud ID Service

Content Security Policy (CSP) - HTTP | MDN

In the above links and recommendations, whitelisting urls and scripts is a standard way of implementing CSP but is there a recommendation for implementing a CSP in AEM and would like to know if someone implemented and help me in implementing one.

-Sanjay

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

View solution in original post

2 Replies

Avatar

Correct answer by
Employee Advisor

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

Avatar

Level 2

Hi Jorg,

To implement CSP  at dispatcher level,can  we use mod_headers like below :

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' fonts.googleapis.com  maxcdn.bootstrapcdn.com www.google.com www.youtube.com code.jquery.com www.googletagmanager.com"

Hence I included the libraries(example) which I  want to be NOT blocked.