Adobe Experience Manager Sites & More

SmrithiGo · 11/3/25

Hi Team,

What security measures should be taken care, when one AEM 6.5 publisher and dispatcher is placed outside Firewall.

This is required for making it accessible to external customers, but I would like to know what are the security measure that we have to take care for this.

Kindly suggest. Thanks.

muskaanchandwani · 11/3/25

Hello @SmrithiGo

Important Security Measures (Checklist) :

1. Deploy Dispatcher as a Security Layer
- Use Dispatcher in front of Publisher to filter requests and cache content.
- Always use the latest Dispatcher version.
- Run Dispatcher under a dedicated, least-privileged user.

2. Harden Dispatcher Configuration
- Deny all requests by default, then allow only necessary URLs (allowlist approach).
- Strictly restrict access to admin interfaces (CRXDE, OSGi Console, etc.).
- Only expose required endpoints for public content.
- Configure caching to cover only appropriate file types (e.g., .html, .js, .css, images).

3. Enforce HTTPS Everywhere
- Use HTTPS for all communication.
- Apply CA-signed certificates (not self-signed) and disable outdated protocols (e.g., SSLv3).

4. Protect Cache Operations
- Limit which clients can flush the Dispatcher cache (e.g., internal IPs only).

5. Prevent Common Security Risks
- Implement Cross-Site Request Forgery (CSRF) protection.
- Add security headers: X-FRAME-OPTIONS, Content-Security-Policy, X-Content-Type-Options, etc.
- Monitor and protect against DoS attacks through filters.

6. Firewalls and Network Segmentation
- Place Dispatcher and Publisher in a DMZ, isolated from the internal network.
- Use firewalls to control both external and internal traffic.

7. Restrict Access and Permissions
- Ensure repository permissions are set so only intended content is public.
- Disable or restrict unused consoles and services on Publish.

8. Monitor and Update Regularly
- Set up logging and alerts for suspicious activity.
- Regularly update all software components and run AEM security health checks.

References :
https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/getting-started/secur...
https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/owasp-top10

ManviSharma · 11/3/25

Hello @SmrithiGo ,

When one AEM 6.5 Publisher and Dispatcher are placed outside the internal firewall to make the site accessible to external users, it’s important to implement multiple layers of security to safeguard the environment. Below are the key security measures to consider:

Dispatcher-Level Hardening
- Allow only HTTP/HTTPS (ports 80/443).
- Deny unsafe HTTP methods (PUT, DELETE, TRACE, CONNECT, OPTIONS).
- Restrict access to sensitive AEM paths such as /libs, /apps, /system, /crx, /etc, /home, etc.
- Enable host header validation and restrict allowed domains.
- Cache only public content; exclude authenticated or restricted pages.
- Use /allowedClients to limit flush and admin requests to internal IPs only.
Publisher Security
- Disable CRXDE Lite and OSGi consoles (/system/console).
- Restrict anonymous access to only public content.
- Use HTTPS for Author → Publisher replication with a dedicated service user.
- Keep service packs updated and ensure minimal service user permissions.
Network and Firewall
- Place Dispatcher in the DMZ and Publisher behind it; do not expose Publisher directly.
- Allow only inbound traffic to Dispatcher, and internal traffic from Dispatcher → Publisher.
- Use HTTPS/TLS 1.2+ for all external communication.
- Deploy a Web Application Firewall (WAF) and/or CDN for additional protection (XSS, SQLi, DDoS, etc.).
Logging and Monitoring
- Enable access and error logs at both Dispatcher and Publisher levels.
- Integrate logs with SIEM tools (e.g., Splunk, ELK) for threat monitoring.
- Configure rate limiting and request throttling where possible.
General Best Practices
- Follow Adobe’s official AEM 6.5 Security Checklist.
- Perform regular security scans and penetration testing.
- Review configurations periodically after releases or system changes.

In short , keep the Dispatcher as the only public-facing component, secure it with WAF and HTTPS, and ensure the Publisher remains protected behind the firewall with strict access control.

Regards,
Manvi Sharma

SmrithiGo · 11/3/25

@muskaanchandwani , Thanks again for all your suggestions. It is very helpful.

Can you please explain in detail this part

In short , keep the Dispatcher as the only public-facing component, secure it with WAF and HTTPS, and ensure the Publisher remains protected behind the firewall with strict access control.

This means, should we place publisher within the FW and only dispatcher outside FW, so that external customers can access it?

SmrithiGo · 11/4/25

As a continuation to the previous comment, only the dispatcher is exposed outside FW and publisher is not. In that case, publisher will not be accessible directly by request coming from outside the FW.