Submissions are now open for the 2026 Adobe Experience Maker Awards.
SOLVED
Inquiry About Access Restrictions for AEM Edge Delivery Services
1 Accepted Solution
Correct answer by
Hi @Ben_Hu,
AEM Edge Delivery Services (EDS) preview and live URLs (e.g., branch--repo--owner.aem.page) are publicly accessible by default, unlike AEM Sites author instances. Here's a breakdown of how you can restrict access and protect content/actions in EDS:
1. Restricting Preview Access
Enable Authentication for Preview
EDS does not support built-in Adobe authentication like AEM Sites (e.g., via Adobe IMS), but you can restrict preview access using:
GitHub Private Repositories
-
Make your GitHub repo private.
-
This ensures that only authorized GitHub users can access or push content via Sidekick.
-
However, this does NOT restrict page preview access to
*.aem.pageURLs.
Use a Preview Environment Proxy
Set up a reverse proxy (e.g., Cloudflare, NGINX) in front of the preview domain and apply:
-
IP allowlisting
-
Basic Auth
-
JWT/Auth0 if more robust login is needed
Adobe’s
*.aem.pagedomains cannot be customized with IP allow lists directly — you’d need to place a proxy in front.
2. Restricting Content Deletion / Publishing via Sidekick
By default, Sidekick actions like "Publish", "Unpublish", "Delete":
-
Are linked to GitHub commits, not gated by Adobe auth.
-
Anyone with access to the Sidekick URL and repo write access can trigger these.
Secure these actions:
Use GitHub Branch Protection Rules
-
Prevent force pushes to
main/livebranches. -
Require pull requests + code review to merge.
-
Disable GitHub Actions for non-admin contributors.
Restrict GitHub Write Access
-
Make the repo private.
-
Limit collaborator permissions (read-only or PR-only).
Customize Sidekick Actions
In your config.json or sidekick.config.js, you can:
-
Remove or restrict Sidekick buttons (e.g.,
delete,unpublish) from non-admins. -
Example: Remove “delete” action for all but you:
if (context.user !== 'your-username') {
delete config.actions.delete;
}3. IP Allowlisting / Access Control
Unfortunately, the *.aem.page domain doesn’t offer native IP restrictions from Adobe. Workaround options:
Use an Edge Proxy with Access Control
-
Deploy a custom proxy (Cloudflare Workers, Fastly, or NGINX)
-
Route requests to
*.aem.page -
Enforce:
-
IP restrictions
-
Basic authentication
-
Token-based headers
-
Santosh Sai
Correct answer by
Hi @Ben_Hu,
AEM Edge Delivery Services (EDS) preview and live URLs (e.g., branch--repo--owner.aem.page) are publicly accessible by default, unlike AEM Sites author instances. Here's a breakdown of how you can restrict access and protect content/actions in EDS:
1. Restricting Preview Access
Enable Authentication for Preview
EDS does not support built-in Adobe authentication like AEM Sites (e.g., via Adobe IMS), but you can restrict preview access using:
GitHub Private Repositories
-
Make your GitHub repo private.
-
This ensures that only authorized GitHub users can access or push content via Sidekick.
-
However, this does NOT restrict page preview access to
*.aem.pageURLs.
Use a Preview Environment Proxy
Set up a reverse proxy (e.g., Cloudflare, NGINX) in front of the preview domain and apply:
-
IP allowlisting
-
Basic Auth
-
JWT/Auth0 if more robust login is needed
Adobe’s
*.aem.pagedomains cannot be customized with IP allow lists directly — you’d need to place a proxy in front.
2. Restricting Content Deletion / Publishing via Sidekick
By default, Sidekick actions like "Publish", "Unpublish", "Delete":
-
Are linked to GitHub commits, not gated by Adobe auth.
-
Anyone with access to the Sidekick URL and repo write access can trigger these.
Secure these actions:
Use GitHub Branch Protection Rules
-
Prevent force pushes to
main/livebranches. -
Require pull requests + code review to merge.
-
Disable GitHub Actions for non-admin contributors.
Restrict GitHub Write Access
-
Make the repo private.
-
Limit collaborator permissions (read-only or PR-only).
Customize Sidekick Actions
In your config.json or sidekick.config.js, you can:
-
Remove or restrict Sidekick buttons (e.g.,
delete,unpublish) from non-admins. -
Example: Remove “delete” action for all but you:
if (context.user !== 'your-username') {
delete config.actions.delete;
}3. IP Allowlisting / Access Control
Unfortunately, the *.aem.page domain doesn’t offer native IP restrictions from Adobe. Workaround options:
Use an Edge Proxy with Access Control
-
Deploy a custom proxy (Cloudflare Workers, Fastly, or NGINX)
-
Route requests to
*.aem.page -
Enforce:
-
IP restrictions
-
Basic authentication
-
Token-based headers
-
Santosh Sai
Thanks for the response.
However, I have a question regarding the following point:
GitHub Private Repositories
This ensures that only authorized GitHub users can access or push content via Sidekick.
My GitHub repository is already set to private, but I’m still able to delete a page under the following conditions:
When I click “Edit” on Sidekick, it opens the Adobe login page.
Even if I don’t log in, the "Delete" button still appears in Sidekick.
Then click "Delete," the page becomes a 404.
However, when I check the content in AEM, the page still exists.
Could there be a misconfiguration on my side that prevents proper authentication or deletion behavior?
Hi @Ben_Hu
When you delete the page, page is deleted from S3 bucket which the EDS content-hub, where all the content markup is stored.
you can check the EDS architecture here : https://github.com/adobe/helix-home/blob/main/docs/architecture.md
Arun Patidar
Adobe is working on a solution to restrict direct preview and live url. Please keep check the updated from them.
Join EDS discord channel for queries/updates : https://discord.com/channels/1131492224371277874/1144495462255185971
Arun Patidar
