should NOT respond to GET /bin/querybuilder.feed.css with 200 | Community
Skip to main content
A
Anonymous
March 14, 2019
Solved

should NOT respond to GET /bin/querybuilder.feed.css with 200

  • March 14, 2019
  • 7 replies
  • 4800 views

As part of our environment Scan from AMSSEC suggested this to be fixed. "should NOT respond to GET /bin/querybuilder.feed.css with 200" In the scan it turned out to be Green, which AMS prefers it to be Red. How do I get this fixed?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Gaurav-Behl

Block this specific url or  "feed*" in dispatcher.any ​based on your requirements

/0090 { /type "deny"  /url"/bin/querybuilder.feed.css" }  or

/0090 { /type "deny"  /glob "* *.feed.css*" }  or

/0090 { /type "deny"  /glob "* *.feed.*" } or

/006 {

  /type "deny"

  /path "/bin/*"

  /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'

  /extension '(css)'

  }

7 replies

Gaurav-Behl
Gaurav-BehlAccepted solution
Level 10
March 14, 2019

Block this specific url or  "feed*" in dispatcher.any ​based on your requirements

/0090 { /type "deny"  /url"/bin/querybuilder.feed.css" }  or

/0090 { /type "deny"  /glob "* *.feed.css*" }  or

/0090 { /type "deny"  /glob "* *.feed.*" } or

/006 {

  /type "deny"

  /path "/bin/*"

  /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'

  /extension '(css)'

  }

A
Anonymous
March 14, 2019

I am trying to block these:

should NOT respond to GET /bin/querybuilder.feed.css with 200

should NOT respond to GET /bin/querybuilder.json.servlet;%0aa.css with 200

should NOT respond to GET /crx/de/index.jsp;%0aa.css with 200

should NOT respond to GET /crx/explorer/index.jsp;%0aa.css with 200

so  does this work?

  1. { /type "deny"  /url"/bin/querybuilder.feed.css" }
  2. { /type "deny"  /url"/bin/querybuilder.json.servlet;%0aa.css" }
  3. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  4. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }

Gaurav-Behl
Gaurav-Behl
Level 10
March 14, 2019

for #3 and #4,   /crx/de and   /crx/explorer can be blocked at AEM itself otherwise for dispatcher you should deny all and allow only relevant paths. 

You should have /0001 { /type "deny" /glob "*" }  to take care of "/crx" and other paths

for #1 and #2, use "selectors" and "extension"

/006 {

  /type "deny"

  /path "/bin/*"  or /path "/bin/querybuilder*"

  /selectors '(feed|servlet|json)'

  /extension '(css)'

  }

refer -  Dispatcher- publisher System/console is giving 500 error.

A
Anonymous
March 14, 2019

Do you mean that this doesn't work for CRX?

  1. { /type "deny"  /url"/crx/de/index.jsp;%0aa.css" }
  2. { /type "deny"  /url"/crx/explorer/index.jsp;%0aa.css" }
Gaurav-Behl
Gaurav-Behl
Level 10
March 15, 2019

It would work fine but in ideal scenario (per best practices), you are supposed to deny all paths and allow only specific paths. When you deny all paths, /crx is covered under that.

HTH

IPinchuk
IPinchuk
September 9, 2019

How can I do that in AEM itself?

How it can be done using /path, /selectors, /extension?

Thanks

Gaurav-Behl
Gaurav-Behl
Level 10
September 9, 2019

check Security Checklist

Check if the CRX development bundles are present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

  • Adobe CRXDE Support (com.adobe.granite.crxde-support)
  • Adobe Granite CRX Explorer (com.adobe.granite.crx-explorer)
  • Adobe Granite CRXDE Lite (com.adobe.granite.crxde-lite)
Terms & ConditionsAccessibility statement

Loading footer...