Expand my Community achievements bar.

SOLVED

Sitemap.xml and security checklist

Avatar

Level 1
Level 1
7/6/20 9:55:29 PM

I am using the ACS sitemap feature to generate the sitemap for my site. This is rendered on the page with .xml extension.
However, the security checklist recommends disabling .xml extension in the Apache Configuration.

"As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet."

https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html
https://adobe-consulting-services.github.io/acs-aem-commons/features/sitemap/index.html

How is this conflict usually managed in websites using AEM and ACS sitemap ?

I think .xml extension should be enabled in AEM and blocked/managed via dispatcher conditionally.

Views

1.2K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/6/20 10:33:59 PM

Hi @dips1 , 

Yes you are right. 

Adobe recommends to block xml request by default. 

But if we are using sitemap.xml configuration has to be enabled and configuration as follows. 

1. Enable the .xml in Apache Sling Get servlet

2. deny all the xml request in the dispatcher. 

/0001 { /type "deny" /glob "*" }

3. Enable sitemap.xml request alone in the dispatcher. 

/0011 { /type "allow" /url "/sitemap.xml"}

This will meet our security checklist. 

View solution in original post

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Employee
Employee
7/6/20 10:29:25 PM

You can block these requests at dispatcher level. At the dispatcher level, you can achieve the use case in following ways:

 

- Use the mod_rewrite module (for example, Apache 2.4 ) to perform URL validations (if the URL pattern rules are not too complex).

 

- Create a filter in dispatcher.any.

 

- Prevent the dispatcher from caching URLs with spurious extensions by using filters . For example, change the caching rules to limit caching to the expected mime types.

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
7/6/20 10:33:59 PM

Hi @dips1 , 

Yes you are right. 

Adobe recommends to block xml request by default. 

But if we are using sitemap.xml configuration has to be enabled and configuration as follows. 

1. Enable the .xml in Apache Sling Get servlet

2. deny all the xml request in the dispatcher. 

/0001 { /type "deny" /glob "*" }

3. Enable sitemap.xml request alone in the dispatcher. 

/0011 { /type "allow" /url "/sitemap.xml"}

This will meet our security checklist. 

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply