Disable CSRF on AEM 6.3 | Community
Skip to main content
M
mehmetsezgin
Level 2
August 20, 2019

Disable CSRF on AEM 6.3

  • August 20, 2019
  • 2 replies
  • 13300 views

Hi Community,

Our customer web site doesn't have any authenticated user. All users are anonymous.

Components have granite.jquery dependency so csrf protection is enabled automatically.

Dispatcher and publisher instance receiving too many unnecessary csrf token requests.

Is there any way to disable csrf protection on AEM 6.3?

Thanks in advance.

Mehmet

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    2 replies

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    August 20, 2019

    Please check

    The CSRF Protection Framework

    you can add /content path in exclude filter at http://localhost:4504/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFFilter

    Arun Patidar
      M
      mehmetsezginAuthor
      Level 2
      August 20, 2019

      Thanks Arun.

      Publisher responds with empty token to csrf requests. Since users are not authenticated.

      I think excluded path is used bypass csrf token check for certain destinations.

      https://taylor.callsen.me/security-and-java-servlets-in-aem-6-1/

      Our goal is stop browser's csrf token requests so dispatcher will not have to handle them.

        U
        Adobe Employee
        user05162Adobe Employee
        Adobe Employee
        August 20, 2019

        Thanks JaideepBrar​.

        As i mentioned CSRF framework is sending empty token to browser. For our case should we still keep token.json calls?


        The CSRF filter/token mechanism only supports authenticated users. So, If you are hosting a static site without any login functionality, you can remove the token call.

        Note that the Sling Referrer Filter offers a second layer of CSRF protection which works in all cases, authenticated or not. See Sling Referrer Filter section of security checklist [0] for reference

        [0] https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html

          H
          himanshuj749478
          September 16, 2019

          Hi arunpatidar26JaideepBrar

          How do I "remove the token call" for static publish environment? Like mentioned in the past - "excluding" it via filter is not same as removing the call.

          Thanks

          Himanshu

            arunpatidar
            Community Advisor
            arunpatidarCommunity Advisor
            Community Advisor
            September 16, 2019

            You can write a redirect at apache server to return response of empty file when token.json is requested.

            e.g.

            RewriteEngine  on
            RewriteRule   "^/libs/granite/csrf/token\.json$"  "/emptyfile.json" [PT]

            Arun Patidar
              M
              Mayukh007
              Level 4
              February 12, 2021

              Hi Arun and Team,

              @arunpatidar 

              We have similar situation with token.json. our sites are mostly public and we dont need calls for token.json hit publisher. So we used your above solution to redirect call to a dummy json.

               

              but now we have CUG pages in the site and we were validating if we need to bring back token.json for CUG pages.

               

              Questions:

              1. Even if now token.json returns dummy value, AEM still works in CUG pages...Shouldn't AEM stop accessing CUG page when my token.json value is wrong and does not match value in publisher (I assume token.json value gets checked in server side for CSRF prevention)

               

              2. Can we completely get rid of token.json by removing Granite dependency for our CUG pages..? Does it really have any impact in terms of security..?

               

              3. Also we are seeing granite.js getting loaded in publisher which we should not need in publisher...Can we stop granite.js to be loaded in publisher but still use token.json..?

                Terms & ConditionsAccessibility statement

                Loading footer...