Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Sitemap.xml and security checklist

dips1
Level 1
Level 1

I am using the ACS sitemap feature to generate the sitemap for my site. This is rendered on the page with .xml extension.
However, the security checklist recommends disabling .xml extension in the Apache Configuration.

"As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet."

https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html
https://adobe-consulting-services.github.io/acs-aem-commons/features/sitemap/index.html

How is this conflict usually managed in websites using AEM and ACS sitemap ?

I think .xml extension should be enabled in AEM and blocked/managed via dispatcher conditionally.

1 Accepted Solution
Vaibhavi_Gowda
Correct answer by
Community Advisor
Community Advisor

Hi @dips1 , 

Yes you are right. 

Adobe recommends to block xml request by default. 

But if we are using sitemap.xml configuration has to be enabled and configuration as follows. 

1. Enable the .xml in Apache Sling Get servlet

2. deny all the xml request in the dispatcher. 

/0001 { /type "deny" /glob "*" }

3. Enable sitemap.xml request alone in the dispatcher. 

/0011 { /type "allow" /url "/sitemap.xml"} 

This will meet our security checklist. 

View solution in original post

2 Replies
vanegi
Employee
Employee

You can block these requests at dispatcher level. At the dispatcher level, you can achieve the use case in following ways:

 

- Use the mod_rewrite module (for example, Apache 2.4 ) to perform URL validations (if the URL pattern rules are not too complex).

 

- Create a filter in dispatcher.any.

 

- Prevent the dispatcher from caching URLs with spurious extensions by using filters . For example, change the caching rules to limit caching to the expected mime types.

Vaibhavi_Gowda
Correct answer by
Community Advisor
Community Advisor

Hi @dips1 , 

Yes you are right. 

Adobe recommends to block xml request by default. 

But if we are using sitemap.xml configuration has to be enabled and configuration as follows. 

1. Enable the .xml in Apache Sling Get servlet

2. deny all the xml request in the dispatcher. 

/0001 { /type "deny" /glob "*" }

3. Enable sitemap.xml request alone in the dispatcher. 

/0011 { /type "allow" /url "/sitemap.xml"} 

This will meet our security checklist. 

View solution in original post