We are using AEM 6.0 , we are quite aware about things like this is at end of support soon. We are in a way to migrate to AEM 6.3, but at this moment one urgent task for me is to resolve the vulnerability that we have on the site. Apart from the below discuss scenario if you have any other way to mitigate CSRF for AEM 6.0 then please let us know we are ready to implement it. i.e Any GitHub project which provide token functionality.
We need your help to configure properly the referrer filter such a way that it prevent the CSRF attacks.
Currently it's OOTB configurations are present for filter. We need to add allow hosts which is currently blank.
To prevent the CSRF, in allow host what are the entries that i should add? - Do i need to add webservers, ? we have two publish servers that communicate with two webservers. Please help us here. I am quite confuse what needs to add that properly prevent this attacks and issue. Thank you in advance.
In above config, you need to add referrer if you are allowing request to your site other than type GET from other domain/host e.g posting form data from other site to your site, otherwise it is ok to keep it blank.
Please check if helps
In order to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs
In addition two these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.
Until AEM 6.2 the official release allows only authenticated POST calls from the external sources.
AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)
The config manager has a configuration named “Adobe Granite Cross Origin Resource Sharing Policy“. This is explained here
Thank you for your quick response.
So application servers are communicating with webservers , so i need to enter all those http/https entries for webservers in referral filter right in allow host field?
Thank you for help.
So basically in allowed host , do i need to enter only domainname.com?
No need to add the webserver entries in the format : http/https://host:port ? , with which application servers are communicating ?