Adobe Experience Manager Sites & More

Report · 3/14/19

As part of our environment Scan from AMSSEC suggested this to be fixed. "should NOT respond to GET /bin/querybuilder.feed.css with 200" In the scan it turned out to be Green, which AMS prefers it to be Red. How do I get this fixed?

Gaurav-Behl · 3/14/19

Block this specific url or "feed*" in dispatcher.any based on your requirements

/0090 { /type "deny" /url"/bin/querybuilder.feed.css" } or

/0090 { /type "deny" /glob "* *.feed.css*" } or

/0090 { /type "deny" /glob "* *.feed.*" } or

/006 {

/type "deny"

/path "/bin/*"

/extension '(css)'

}

View solution in original post

Gaurav-Behl · 3/14/19

Block this specific url or "feed*" in dispatcher.any based on your requirements

/0090 { /type "deny" /url"/bin/querybuilder.feed.css" } or

/0090 { /type "deny" /glob "* *.feed.css*" } or

/0090 { /type "deny" /glob "* *.feed.*" } or

/006 {

/type "deny"

/path "/bin/*"

/extension '(css)'

}

Report · 3/14/19

I am trying to block these:

should NOT respond to GET /bin/querybuilder.feed.css with 200

should NOT respond to GET /bin/querybuilder.json.servlet;%0aa.css with 200

should NOT respond to GET /crx/de/index.jsp;%0aa.css with 200

should NOT respond to GET /crx/explorer/index.jsp;%0aa.css with 200

so does this work?

{ /type "deny" /url"/bin/querybuilder.feed.css" }
{ /type "deny" /url"/bin/querybuilder.json.servlet;%0aa.css" }
{ /type "deny" /url"/crx/de/index.jsp;%0aa.css" }
{ /type "deny" /url"/crx/explorer/index.jsp;%0aa.css" }

Gaurav-Behl · 3/14/19

for #3 and #4, /crx/de and /crx/explorer can be blocked at AEM itself otherwise for dispatcher you should deny all and allow only relevant paths.

You should have /0001 { /type "deny" /glob "*" } to take care of "/crx" and other paths

for #1 and #2, use "selectors" and "extension"

/006 {

/type "deny"

/path "/bin/*" or /path "/bin/querybuilder*"

/selectors '(feed|servlet|json)'

/extension '(css)'

}

refer - Dispatcher- publisher System/console is giving 500 error.

Report · 3/14/19

Do you mean that this doesn't work for CRX?

{ /type "deny" /url"/crx/de/index.jsp;%0aa.css" }
{ /type "deny" /url"/crx/explorer/index.jsp;%0aa.css" }

Gaurav-Behl · 3/14/19

It would work fine but in ideal scenario (per best practices), you are supposed to deny all paths and allow only specific paths. When you deny all paths, /crx is covered under that.

HTH

IPinchuk · 9/9/19

How can I do that in AEM itself?

How it can be done using /path, /selectors, /extension?

Thanks

Gaurav-Behl · 9/9/19

check Security Checklist

Check if the CRX development bundles are present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

Adobe CRXDE Support (com.adobe.granite.crxde-support)
Adobe Granite CRX Explorer (com.adobe.granite.crx-explorer)
Adobe Granite CRXDE Lite (com.adobe.granite.crxde-lite)

Adobe Experience Manager Sites & More

should NOT respond to GET /bin/querybuilder.feed.css with 200

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe