SRI implementation in AEM site

Question

Any one has done Implementation of CSP with Nonce for Inline scripts in AEM as we are using CSP in dispatcher. how we can update Nonce dynamically in CSP and script both?

arunpatidar · Accepted Answer

Hi @arunjh1

Please check

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-implement-nonce-for-content-security-policy-script-src/m-p/716846

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/add-nonce-value-to-content-security-policy-headers/m-p/691401

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-as-a-cloud-how-to-add-nonce-values-to-content-security/m-p/645512

AmitVishwakarma · Answer

Hi @arunjh1 ,Try below step's:Step 1: Enable Dispatcher to Pass Dynamic CSP HeaderIn Dispatcher (Apache HTTPD):/conf/dispatcher/filters/filters.any# Allow the CSP header to be passed from AEM/Header set Content-Security-Policy "script-src 'self' 'nonce-%{CSP_NONCE}e'"Add to Apache virtual host:SetEnvIf Request_URI ".*" CSP_NONCE=<%{CSP_NONCE}e>However, you’ll need to set CSP_NONCE environment variable dynamically from AEM using Sling filters or Servlet Filters. Step 2: Generate Nonce in AEM Using Servlet Filterpackage com.example.core.filters;import org.apache.commons.lang3.RandomStringUtils;import org.osgi.service.component.annotations.Component;import javax.servlet.*;import java.io.IOException;@Component(service = Filter.class, property = { "sling.filter.scope=request", "service.ranking=1000" })public class CspNonceFilter implements Filter { public static final String NONCE_ATTRIBUTE = "cspNonce"; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String nonce = RandomStringUtils.randomAlphanumeric(16); request.setAttribute(NONCE_ATTRIBUTE, nonce); // Add CSP Header if (response instanceof HttpServletResponse) { ((HttpServletResponse) response).setHeader("Content-Security-Policy", "script-src 'self' 'nonce-" + nonce + "'"); } chain.doFilter(request, response); }}Step 3: Use Nonce in HTL (Sightly)Use the request attribute in your component's HTL:Step 4: Make Dispatcher Cache Respect Dynamic Header (Cloud Service Note )You must avoid full page caching if the CSP nonce is dynamic per request.Options:Use Edge-side include (ESI) (Akamai/Fastly/CDN level) for nonce placeholder.Or: Disable caching for CSP dynamic pages.Or: use a JS nonce injection solution post-cache (less secure but works if needed).Step 5: AEM as a Cloud Service NotesOn AEMaaCS, for performance and CSP:You can use a Page Model approach, or use Sling Dynamic Include (SDI) for injecting the nonce via non-cached include.Or register a PageHeadFilter and add a nonce meta tag + CSP header centrally.Sample OutputHeader:Content-Security-Policy: script-src 'self' 'nonce-xYzAbc123QWE78as'HTML: Regards,Amit

Any one has done Implementation of CSP with Nonce for Inline scripts in AEM as we are using CSP in dispatcher. how we can update Nonce dynamically in CSP and script both?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded