Disable jcr:content.json from URL on publisher instance in AEM

tushaar_srivastava

20-01-2020

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.
jcr:content.json URL can be disabled on publisher instance.
 
Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.
 
AEM publisher AEM6.3.0 disable url

Accepted Solutions (1)

Accepted Solutions (1)

Arun_Patidar

MVP

20-01-2020

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 

Answers (0)