Adobe Experience Manager Sites & More

AnushaAt · 12/1/25

Hi Team,

We received a vulnerabilities ticket, mentioning to block children,childrenlist and home.json endpoints.

Whenever we are hitting www.abc.com/content/*/*/*.children.json , we are able to see json files loading. so we added the deny rule in publish.ehs.any file

/0012 {
/url "/childrenlist.json"
/type "deny"
}
/0013 {
/url "/children.json"
/type "deny"
}

but still the json files are loading . so It will be helpful if we get any suggestions to block the endpoints.

Regards,

Anusha

manikandan90 · 12/1/25

Hi @AnushaAt

Add the filter condition like blow in you dispatcher filter.any file.

{ /type "deny" /suffix '(.*infinity.*|.*children.*|.*tidy.*)' }

AndySh4 · 12/1/25

Dispatcher configurations are a partial solution that can be bypassed by certain requests. These are the Adobe components you would need to disable in the OSGI console at /system/console/components

stop "com.day.cq.dam.s7dam.common.servlets.S7damChildServlet" to disable the .children selector
stop "com.day.cq.wcm.core.impl.servlets.ChildrenListServlet" to disable the .childrenlist selector

Manually stopping components is not an ideal approach since those components will restart when AEM is restarted. A more reliable approach is to use the ACS AEM Commons project's "OSGI Component Disabler" feature that lets you disable specific components based on their class name. You can also add a configuration file for the Disabler to your codebase so the unwanted components are disabled in a reliable way.

Adobe's AEM security checklist also recommends disabling the "Day CQ WCM Form Chooser Servlet" by blocking it with your dispatcher but you should also disable it on your publish instance: