Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

should NOT respond to GET /bin/querybuilder.feed.css with 200

Avatar

Former Community Member

As part of our environment Scan from AMSSEC suggested this to be fixed. "should NOT respond to GET /bin/querybuilder.feed.css with 200" In the scan it turned out to be Green, which AMS prefers it to be Red. How do I get this fixed?

1 Accepted Solution

Avatar

Correct answer by
Level 10

Block this specific url or  "feed*" in dispatcher.any ​based on your requirements

/0090 { /type "deny"  /url"/bin/querybuilder.feed.css" }  or

/0090 { /type "deny"  /glob "* *.feed.css*" }  or

/0090 { /type "deny"  /glob "* *.feed.*" } or

/006 {

  /type "deny"

  /path "/bin/*"

  /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'

  /extension '(css)'

  }

View solution in original post

7 Replies

Avatar

Correct answer by
Level 10

Block this specific url or  "feed*" in dispatcher.any ​based on your requirements

/0090 { /type "deny"  /url"/bin/querybuilder.feed.css" }  or

/0090 { /type "deny"  /glob "* *.feed.css*" }  or

/0090 { /type "deny"  /glob "* *.feed.*" } or

/006 {

  /type "deny"

  /path "/bin/*"

  /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'

  /extension '(css)'

  }

Avatar

Former Community Member

I am trying to block these:

should NOT respond to GET /bin/querybuilder.feed.css with 200

should NOT respond to GET /bin/querybuilder.json.servlet;%0aa.css with 200

should NOT respond to GET /crx/de/index.jsp;%0aa.css with 200

should NOT respond to GET /crx/explorer/index.jsp;%0aa.css with 200

so  does this work?

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }

Avatar

Level 10

for #3 and #4,   /crx/de and   /crx/explorer can be blocked at AEM itself otherwise for dispatcher you should deny all and allow only relevant paths. 

You should have /0001 { /type "deny" /glob "*" }  to take care of "/crx" and other paths

for #1 and #2, use "selectors" and "extension"

/006 {

  /type "deny"

  /path "/bin/*"  or /path "/bin/querybuilder*"

  /selectors '(feed|servlet|json)'

  /extension '(css)'

  }

refer -  Dispatcher- publisher System/console is giving 500 error.

Avatar

Former Community Member

Do you mean that this doesn't work for CRX?

  1. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  2. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }

Avatar

Level 10

It would work fine but in ideal scenario (per best practices), you are supposed to deny all paths and allow only specific paths. When you deny all paths, /crx is covered under that.

HTH

Avatar

Level 1

How can I do that in AEM itself?

How it can be done using /path, /selectors, /extension?

Thanks

Avatar

Level 10

check Security Checklist

Check if the CRX development bundles are present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

  • Adobe CRXDE Support (com.adobe.granite.crxde-support)
  • Adobe Granite CRX Explorer (com.adobe.granite.crx-explorer)
  • Adobe Granite CRXDE Lite (com.adobe.granite.crxde-lite)