Disable jcr:content.json from URL on publisher instance in AEM

Question

Hi,End users are able to access jcr:content.json URL, which exposes additional metadata about the page.jcr:content.json URL can be disabled on publisher instance. Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level. @kautuk_sahni @arunpatidar

arunpatidar · Accepted Answer

Hi,You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g./0001 { /type "deny" /url "*" }/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }.... other rules  In your case you can deny jcr:content by using one of the below rule/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded