SOLVED
How do we allow post request to CQ from external sites?
wrote...
At CQ you need to custom implement for specific url.
In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.
[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/
Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.
Is it possible to add the referrer header in dispatcher for a particular incoming request ?
wrote...
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Thank you very much Ove Lindstrm , but in my use case the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.
