Expand my Community achievements bar.

SOLVED

Besides using xss api is there a recommended way of implementing content security policy headers in AEM?

Avatar

Level 3
Level 3
6/18/18 8:47:25 AM

Content Security Policies and the Experience Cloud ID Service

Content Security Policy (CSP) - HTTP | MDN

In the above links and recommendations, whitelisting urls and scripts is a standard way of implementing CSP but is there a recommendation for implementing a CSP in AEM and would like to know if someone implemented and help me in implementing one.

-Sanjay

Views

1.7K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/18/18 9:03:58 AM

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

View solution in original post

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/18/18 9:03:58 AM

I haven't dealt with CSP yet, but typically you set the headers on the dispatcher (via webserver configuration). This assumes that the host list for the included files is quite static and doesn't change often. Then you can configure this list statically and you don't need to bother on an AEM side with it.

If you cannot hardcode this list (or if the dev team is tasked with it), I would create a servlet filter which adds this header for HTML pages. The list of the domains is still configured somewhere (e.g. OSGI or Sling Context Aware Configuration), but then maintained by the DEV team.

From my point of view there's not much magic in there, and implementing it should be straight forward.

Jörg

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
2/25/19 6:13:10 PM

Hi Jorg,

To implement CSP  at dispatcher level,can  we use mod_headers like below :

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' fonts.googleapis.com  maxcdn.bootstrapcdn.com www.google.com www.youtube.com code.jquery.com www.googletagmanager.com"

Hence I included the libraries(example) which I  want to be NOT blocked.

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate