ÃÛ¶¹ÊÓƵ

DocumentationAEM 6.4Developing Guide

Security security

Last update: Wed May 03 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer
CAUTION
AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our . Find the supported versions here.

Application Security starts during the development phase. ÃÛ¶¹ÊÓƵ recommends to apply the following security best practices.

Use Request Session use-request-session

Following the principle of least privilege, ÃÛ¶¹ÊÓƵ recommends that every repository access is done by using the session bound to the user request and proper access control.

Protect against Cross-Site Scripting (XSS) protect-against-cross-site-scripting-xss

Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. This security vulnerability can be exploited by malicious web users to bypass access controls.

AEM applies the principle of filtering all user-supplied content upon output. Preventing XSS is given the highest priority during both development and testing.

The XSS protection mechanism provided by AEM is based on the provided by . The default AntiSamy configuration can be found at

/libs/cq/xssprotection/config.xml

It is important that you adapt this configuration to your own security needs by overlaying the configuration file. The official will provide you with all the information you need in order to implement your security requirements.

NOTE
We strongly recommend you always access to the XSS protection API by using the .

Additionally, a web application firewall, such as , can provide reliable, central control over the security of the deployment environment and protect against previously undetected cross-site scripting attacks.

Access to Cloud Service Information access-to-cloud-service-information

NOTE
ACLs for the Cloud Service Information as well as the OSGi settings required to secure your instance are automated as part of the Production Ready Mode. While this means that you do not need to make the configuration changes manually, it is still recommended that you review them before you go live with your deployment.

When you integrate your AEM instance with the ÃÛ¶¹ÊÓƵ Marketing Cloud you use Cloud Service configurations. Information about these configurations, together with any statistics collected are stored in the repository. We recommend that, if you are using this functionality, you review whether the default security on this information matches your requirements.

The webservicesupport module writes statistics and configuration information under:

/etc/cloudservices

With the default permissions:

  • Author environment: read for contributors

  • Publish environment: read for everyone

Protect against Cross-Site Request Forgery Attacks protect-against-cross-site-request-forgery-attacks

For more information on the security mechanisms AEM employs to mitigate CSRF attacks, see the Sling Referrer Filter section of the Security Checklist and the CSRF Protection Framework documentation.

recommendation-more-help
2315f3f5-cb4a-4530-9999-30c8319c520e