Hi All,
We have registration functionality on our website where an AEM sling servlet collects the data from form and inserts that record into a database table. AEM Sling servlet is invoked from Ajax call from client side. We suspect that there are fraudulent attempts by invoking the sling servlet directly from API client like Postman. AEM Sling servlet is registered with resource type. Is it possible to invoke sling servlet from API client like Postman? If yes, how can we block the attempts to the servlet. Please help here.
Views
Replies
Total Likes
Hi @SrikanthPo3
So you have a servlet that you exposed for someone or something to invoke. Which means for a specific scenario and actor (human or software), you want the requests to go through.
Now, if they do get through from Postman, it means that whoever made the request has the authorization credentials, and was able to add them in Postman. Otherwise it would have give them 401 in Postman. Maybe it was for development, and the harm was intended, but you can't risk it. I would suggest to identify the credentials used, either user or token, change them, and inform the trusted actors of the new credentials to be used.
Another thing you could do, is to check in your servlet the request User-Agent header, and not permit PostmanRuntime/7.43.0 (or other version). But this is not a long term solution. Imagine requests can be made from anywhere: cUrls, browsers etc.
Another option would be to add some filtering rules upper in the infrastructure, to permit only known IPs:
- For AEMaaCS we have this documentation page: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/usi...
- Or you can do it at Dispatcher level: https://blogs.perficient.com/2022/02/15/ip-whitelisting-through-aem-dispatcher-in-5-easy-steps/ , for on-prem setup.
- Or if you have custom cloud, your DevOps specialist could guide you
"Maybe it was for development, and the harm was NOT intended ..." I meant to say. But I cant edit the posts anymore, to correct it. This feature was removed from community recently.
Views
Replies
Total Likes
If the servlet is registered with a resource type and is publicly accessible, any user with knowledge of the endpoint can make requests to it, regardless of the client used (e.g., jQuery AJAX, Postman, etc.)
There are multiple ways you can secure your form submits.
I would say one of the best one would be add recaptcha validation both at client slide and at the server side.
Hi @SrikanthPo3 ,
We can block fraudulent attempts from API clients like Postman.
You can combine CSRF protection, referrer validation, and CAPTCHA for immediate secuirty.
Regards,
Thanks for your response.
We have login feature, but the user authentication is taken not by SAML Handler, it is with Adobe Commerce integration. Can you please throw some light on how we can restrict the access of servlet to logged-in users.
Views
Replies
Total Likes
Can you please share the steps to implement rate limiting at AEM dispatcher?
Any document link for reference.
Views
Replies
Total Likes
Hi @SrikanthPo3,
You can rely on following -
Thanks for your response @arunpatidar
captcha can be implemented on only web page, am I correct? It might not help if someone is submitting the requests from API client like Postman?
I will check Servlet API - Rate limit at CDN.
Views
Replies
Total Likes
Hi @SrikanthPo3
Captcha is used to avoid use of application outside browser. because backend server needs to validate the captcha with each form submit.
https://medium.com/@hwupathum/recaptcha-how-it-works-4031eae74a8b
To secure your AEM Sling servlet from fraudulent attempts (e.g., direct access via API clients like Postman), you can implement the following measures:
1. Enable CSRF Protection: Use AEM's built-in CSRF protection to prevent unauthorized requests.
2. Validate Referrer & Origin Headers: Ensure that requests to the servlet only come from trusted sources (your website).
3. Restrict Access to Logged-in Users: Limit access to the servlet by requiring the user to be logged in (if appropriate).
4. Use CAPTCHA for Bot Prevention: Implement CAPTCHA validation, ideally both on the client and server side, to prevent automated submissions.
5. Implement Rate Limiting: Use rate limiting at the Dispatcher level or via CDN to limit excessive requests.
6. Whitelist Allowed Domains or IPs: Restrict access by whitelisting trusted domains or IPs to prevent external API clients from making requests.
7. Use JWT/OAuth Authentication: Secure your API with JWT or OAuth to ensure that only authorized users or services can invoke the servlet.
By combining these methods, especially CSRF protection, CAPTCHA, and referrer validation, you can greatly reduce the risk of fraudulent access.
@SrikanthPo3 Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!
Views
Replies
Total Likes
We already have CSRF filter rule and clientheaders configuration in our dispatcher but still we are able to hit the AEM servlet from postman.
I am looking on information to configure rate limiting at AEM dispatcher. I could not find this, can you or anyone help here.
Views
Replies
Total Likes
Hi @SrikanthPo3 ,
You can use ModSecurity to block clients that make an excessive number of requests within a short period at the dispatcher level. I found a helpful documentation link: https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/modsecurity-....
Hope this helps.
Regards,
Ayush
Views
Like
Replies
Views
Likes
Replies
Views
Likes
Replies