Sitemap.xml and security checklist

Avatar

dips1

06-07-2020

I am using the ACS sitemap feature to generate the sitemap for my site. This is rendered on the page with .xml extension.
However, the security checklist recommends disabling .xml extension in the Apache Configuration.

"As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet."

https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html
https://adobe-consulting-services.github.io/acs-aem-commons/features/sitemap/index.html

How is this conflict usually managed in websites using AEM and ACS sitemap ?

I think .xml extension should be enabled in AEM and blocked/managed via dispatcher conditionally.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Vaibhavi

MVP

06-07-2020

Hi @dips1 , 

Yes you are right. 

Adobe recommends to block xml request by default. 

But if we are using sitemap.xml configuration has to be enabled and configuration as follows. 

1. Enable the .xml in Apache Sling Get servlet

2. deny all the xml request in the dispatcher. 

/0001 { /type "deny" /glob "*" }

3. Enable sitemap.xml request alone in the dispatcher. 

/0011 { /type "allow" /url "/sitemap.xml"}

This will meet our security checklist. 

Answers (1)

Answers (1)

Avatar

vanegi

Employee

06-07-2020

You can block these requests at dispatcher level. At the dispatcher level, you can achieve the use case in following ways:

 

- Use the mod_rewrite module (for example, Apache 2.4 ) to perform URL validations (if the URL pattern rules are not too complex).

 

- Create a filter in dispatcher.any.

 

- Prevent the dispatcher from caching URLs with spurious extensions by using filters . For example, change the caching rules to limit caching to the expected mime types.