How to configure Apache Sling Referrer filter to mitigate the CSRF attach in AEM 6.0 | Community
Skip to main content
H
hardik11071994
Level 3
August 27, 2018

How to configure Apache Sling Referrer filter to mitigate the CSRF attach in AEM 6.0

  • August 27, 2018
  • 1 reply
  • 12000 views

Hi Team,

We are using AEM 6.0 , we are quite aware about things like this is at end of support soon. We are in a way to migrate to AEM 6.3, but at this moment  one urgent task for me is to resolve the vulnerability that we have on the site. Apart from the below discuss scenario if you have any other way to mitigate CSRF for AEM 6.0 then please let us know we are ready to implement it. i.e Any GitHub project which provide token functionality.

We need your help to configure properly the referrer filter such a way that it prevent the CSRF attacks.

Currently it's OOTB configurations are present for filter. We need to add allow hosts which is currently blank.

Request filter checking the referrer of modification requests.
Allow Empty


Allow an empty or missing referrer (allow.empty)
Allow Hosts
List of allowed hosts for the referrer which are added to the list of default hosts. (allow.hosts)
Allow Regexp Host
List of allowed regexp for the referrer. (allow.hosts.regexp)
Filter Methods


These methods are filtered by the filter. (filter.methods)

To prevent the CSRF, in allow host what are the entries that i should add? - Do i need to add webservers, ? we have two publish servers that communicate with two webservers. Please help us here. I am quite confuse what needs to add that properly prevent this attacks and issue. Thank you in advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
August 27, 2018

Hi,

Please check below:

https://taylor.callsen.me/security-and-java-servlets-in-aem-6-1/

Santhosh | myprogressivelearning

Arun Patidar
H
hardik11071994Author
Level 3
August 29, 2018

Hi Arun,

We are looking for the solution for AEM 6.0 SP3. Do you have a solution for that? As I mentioned above , by white-listing the servers , will it resolve CSRF?

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
August 29, 2018

In above config, you need to add referrer if you are allowing request to your site other than type GET from other domain/host e.g posting form data from other site to your site, otherwise it is ok to keep it blank.

Please check if helps

https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

More info

Referrer-header configurations:

In order to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • a white list of servers to be allowed in addition to the server host.

In addition two these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

Until AEM 6.2 the official release allows only authenticated POST calls from the external sources.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

The config manager has a configuration named “Adobe Granite Cross Origin Resource Sharing Policy“. This is explained here

Arun Patidar
Terms & ConditionsAccessibility statement

Loading footer...