Highlighted

Disable CSRF on AEM 6.3

mehmetsezgin

20-08-2019

Hi Community,

Our customer web site doesn't have any authenticated user. All users are anonymous.

Components have granite.jquery dependency so csrf protection is enabled automatically.

Dispatcher and publisher instance receiving too many unnecessary csrf token requests.

Is there any way to disable csrf protection on AEM 6.3?

Thanks in advance.

Mehmet

Replies

Highlighted

mehmetsezgin

20-08-2019

Thanks Arun.

Publisher responds with empty token to csrf requests. Since users are not authenticated.

I think excluded path is used bypass csrf token check for certain destinations.

https://taylor.callsen.me/security-and-java-servlets-in-aem-6-1/

Our goal is stop browser's csrf token requests so dispatcher will not have to handle them.

Highlighted

jbrar

Employee

20-08-2019

It is not a recommendation to remove the token.json call as this token.json call is used to prevent CSRF attacks and removing this would lead to a major security risk. Please refer to the documentation at [1].

If you still want to remove the call, you need to remove all dependencies to "granite.jquery" in the code.

[1] https://helpx.adobe.com/ca/experience-manager/6-3/sites/developing/using/csrf-protection.html

[2] https://helpx.adobe.com/experience-manager/6-5/forms/using/admin-help/preventing-csrf-attacks.html

[3] https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/configuring-d...

Highlighted

mehmetsezgin

20-08-2019

Thanks JaideepBrar​.

As i mentioned CSRF framework is sending empty token to browser. For our case should we still keep token.json calls?

Highlighted

jbrar

Employee

20-08-2019

The CSRF filter/token mechanism only supports authenticated users. So, If you are hosting a static site without any login functionality, you can remove the token call.

Note that the Sling Referrer Filter offers a second layer of CSRF protection which works in all cases, authenticated or not. See Sling Referrer Filter section of security checklist [0] for reference

[0] https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html

Highlighted

himanshuj749478

16-09-2019

Hi arunpatidar26JaideepBrar

How do I "remove the token call" for static publish environment? Like mentioned in the past - "excluding" it via filter is not same as removing the call.

Thanks

Himanshu

Highlighted

Arun_Patidar

MVP

16-09-2019

You can write a redirect at apache server to return response of empty file when token.json is requested.

e.g.

RewriteEngine  on
RewriteRule   "^/libs/granite/csrf/token\.json$"  "/emptyfile.json" [PT]