Adobe Experience Manager Sites & More

SrikanthPo3 · 1/29/25

Hi All,

We have registration functionality on our website where an AEM sling servlet collects the data from form and inserts that record into a database table. AEM Sling servlet is invoked from Ajax call from client side. We suspect that there are fraudulent attempts by invoking the sling servlet directly from API client like Postman. AEM Sling servlet is registered with resource type. Is it possible to invoke sling servlet from API client like Postman? If yes, how can we block the attempts to the servlet. Please help here.

Tethich · 1/29/25

Hi @SrikanthPo3

So you have a servlet that you exposed for someone or something to invoke. Which means for a specific scenario and actor (human or software), you want the requests to go through.

Now, if they do get through from Postman, it means that whoever made the request has the authorization credentials, and was able to add them in Postman. Otherwise it would have give them 401 in Postman. Maybe it was for development, and the harm was intended, but you can't risk it. I would suggest to identify the credentials used, either user or token, change them, and inform the trusted actors of the new credentials to be used.

Another thing you could do, is to check in your servlet the request User-Agent header, and not permit PostmanRuntime/7.43.0 (or other version). But this is not a long term solution. Imagine requests can be made from anywhere: cUrls, browsers etc.

Another option would be to add some filtering rules upper in the infrastructure, to permit only known IPs:
- For AEMaaCS we have this documentation page: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/usi...
- Or you can do it at Dispatcher level: https://blogs.perficient.com/2022/02/15/ip-whitelisting-through-aem-dispatcher-in-5-easy-steps/ , for on-prem setup.

- Or if you have custom cloud, your DevOps specialist could guide you

Tethich · 1/29/25

"Maybe it was for development, and the harm was NOT intended ..." I meant to say. But I cant edit the posts anymore, to correct it. This feature was removed from community recently.

gkalyan · 1/29/25

@SrikanthPo3

If the servlet is registered with a resource type and is publicly accessible, any user with knowledge of the endpoint can make requests to it, regardless of the client used (e.g., jQuery AJAX, Postman, etc.)

There are multiple ways you can secure your form submits.

I would say one of the best one would be add recaptcha validation both at client slide and at the server side.

Shiv_Prakash_Patel · 1/29/25

Hi @SrikanthPo3 ,

We can block fraudulent attempts from API clients like Postman.

Enable CSRF Protection
Validate Referrer & Origin Headers
Restrict Servlet Access to Logged-in Users
Use CAPTCHA for Bot Prevention
Implement Rate Limiting via Dispatcher
Whitelist Allowed Domains
Use JWT/OAuth Authentication for Secure Requests

You can combine CSRF protection, referrer validation, and CAPTCHA for immediate secuirty.

Regards,

Shiv Prakash

SrikanthPo3 · 2/2/25

Hi @Shiv_Prakash_Patel

Thanks for your response.

We have login feature, but the user authentication is taken not by SAML Handler, it is with Adobe Commerce integration. Can you please throw some light on how we can restrict the access of servlet to logged-in users.

SrikanthPo3 · 2/7/25

Hi @Shiv_Prakash_Patel

Can you please share the steps to implement rate limiting at AEM dispatcher?

Any document link for reference.

arunpatidar · 1/30/25

Hi @SrikanthPo3,

You can rely on following -

Use captcha
Servlet API - Rate limit at CDN

Arun Patidar

SrikanthPo3 · 1/30/25

Thanks for your response @arunpatidar

captcha can be implemented on only web page, am I correct? It might not help if someone is submitting the requests from API client like Postman?

I will check Servlet API - Rate limit at CDN.

arunpatidar · 1/30/25

Hi @SrikanthPo3

Captcha is used to avoid use of application outside browser. because backend server needs to validate the captcha with each form submit.

https://medium.com/@hwupathum/recaptcha-how-it-works-4031eae74a8b

Arun Patidar

AmitVishwakarma · 2/1/25

To secure your AEM Sling servlet from fraudulent attempts (e.g., direct access via API clients like Postman), you can implement the following measures:

1. Enable CSRF Protection: Use AEM's built-in CSRF protection to prevent unauthorized requests.

2. Validate Referrer & Origin Headers: Ensure that requests to the servlet only come from trusted sources (your website).

3. Restrict Access to Logged-in Users: Limit access to the servlet by requiring the user to be logged in (if appropriate).

4. Use CAPTCHA for Bot Prevention: Implement CAPTCHA validation, ideally both on the client and server side, to prevent automated submissions.

5. Implement Rate Limiting: Use rate limiting at the Dispatcher level or via CDN to limit excessive requests.

6. Whitelist Allowed Domains or IPs: Restrict access by whitelisting trusted domains or IPs to prevent external API clients from making requests.

7. Use JWT/OAuth Authentication: Secure your API with JWT or OAuth to ensure that only authorized users or services can invoke the servlet.

By combining these methods, especially CSRF protection, CAPTCHA, and referrer validation, you can greatly reduce the risk of fraudulent access.

kautuk_sahni · 2/10/25

@SrikanthPo3 Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

SrikanthPo3 · 2/10/25

Hi @kautuk_sahni

We already have CSRF filter rule and clientheaders configuration in our dispatcher but still we are able to hit the AEM servlet from postman.

I am looking on information to configure rate limiting at AEM dispatcher. I could not find this, can you or anyone help here.

ayush-804 · 2/16/25

Hi @SrikanthPo3 ,

You can use ModSecurity to block clients that make an excessive number of requests within a short period at the dispatcher level. I found a helpful documentation link: https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/modsecurity-....

Hope this helps.

Regards,

Ayush

Adobe Experience Manager Sites & More

How to secure AEM sling servlet

Arun Patidar

Arun Patidar

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe