Adobe Experience Manager Sites & More

AEM_Dan · 1/31/18

After some testing, I see the Referrer Filter is doing a good job blocking POST requests outside of the current environment using the default configuration ("Allow Hosts" is blank). And the documentation states "By default, all variations of localhost and the current host names the server is bound to are in the white list."

But how is it even "aware" of the "the current host names the server is bound to?" Our site URLs are VIPs that point to the dispatchers so I don't know how that gets passed down to the publish instances.

Jörg_Hoh · 1/31/18

The referrer check is a very simple check: It checks if the hostname of the referring page (HTTP header: referrer) is the same as the hostname in the HTTP host header.

There are exceptions for this rule as mentioned, so you can automate tasks from the same machine more easily.

Jörg

AEM_Dan · 2/1/18

Thanks, I see that now. I forgot that when the Dispatcher makes it's HTTP connection to the publish instance, it passes the end-user facing domain as the HTTP host header even though that would not resolve to the publish instance host.

Adobe Experience Manager Sites & More

How does the Apache Sling Referrer Filter know the current host names?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe