How to protect AEM agaist CSRF Attack ?

Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks.

Implement CSRF protection in AEM:

The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration. This property specifies which HTTP methods are allowed to execute without requiring a CSRF token.

Implement CSRF protection in Dispatcher:

To configure the Dispatcher to protect against Cross-Site Request Forgery (CSRF) attacks, you can follow these steps:

  1. Enable CSRF Protection: Enable CSRF Protection in your Adobe Experience Manager (AEM) instance by adding the following properties to your web console or crx-quickstart/config/org.apache.felix.http.cfg file:
org.apache.felix.http.whiteboard.filter.regex=.* org.apache.felix.http.whiteboard.filter.pattern=/_csrf.* org.apache.felix.http.whiteboard.filter.dispatcher=forward
  1. Configure Dispatcher: Configure the Dispatcher to include a CSRF token in every POST request by adding the following configuration to your dispatcher.any file:
/filter { /0000 { /type "deny" /method "POST" /url "/content*" /url "/bin*" /headers { /X-CSRF-Token "" } } }

This configuration denies all POST requests made to URLs that start with "/content" or "/bin" and includes an empty "X-CSRF-Token" header.

  1. Verify the configuration: Verify that the configuration is working by testing a POST request to a URL that matches the filter configuration. You should receive a 403 Forbidden response if the CSRF protection is working correctly.

By following these steps, you can configure the Dispatcher to protect against CSRF attacks and help ensure the security of your AEM instance. It is important to note that this is just one of the many steps you can take to protect your AEM instance, and you should also consider other security measures such as enabling HTTPS and keeping your AEM instance up-to-date with security patches.


Popular Posts

HTTP Smuggling in AEM , How to prevent it ?

AEM Security Headers

AdobeDispatcherHacks ".statfile"

How Does S3 works with AEM ?

OakAccess0000: Access denied

Configure/Decoding AEM AuditLogs

Build is failing due to CHECKSUM issue.

How Encrypt-Decrypt Data in AEM , Crypto Support ?

Pre warming AWS Load balancer

How to Increase Apache Request Per Second ?