As you know from AEM development, you can use selectors in the URL of your pages. Unfortunately, this is also a common area for Denial of Services attacks. Let's look at some strategies to mitigate these types of attacks:
The best way to prevent the above is to do a validation of the selectors at the page level. The Sling API, specifically the RequestPathInfo, provides the getSelectors() method to get all the selectors from the requested URL. If you are not expecting any selectors being passed to your CQ page, you should make sure that slingRequest.getRequestPathInfo().getSelectors() yields an empty array. Otherwise, you should do a very strict comparison of the selectors array with what you’re expecting.
If there’s any unexpected selectors, you may choose to throw a 404 (Not Found) or other error status code so that the page does not get cached.
This can help prevent Denial of Services attacks. Questions?
