Security Headers & Cookie Management in Hybrid AEM CDN Setup on AWS CloudFront

-
aemrules.com
Security Headers & Cookie Management in Hybrid AEM CDN Setup on AWS CloudFront
7 min read  ·  Anuj Gangwar  ·  AEM Architect @ Adobe
5 things to know in 30 seconds
1
Never manage security headers on both EDS and AMS independently — enforce all of them at CloudFront only using a Response Headers Policy. One place, consistent everywhere.
2
Your CSP policy must be a superset covering both EDS and AMS — scripts, fonts, and connect sources from both origins in one unified policy.
3
Strip ALL cookies before forwarding to EDS origin. EDS is stateless — forwarding AMS session cookies destroys cache efficiency and every user gets a unique cache entry.
4
For AMS authenticated paths, whitelist only the cookies you need — typically login-token. Never forward all cookies blindly.
5
For SSO across EDS and AMS pages, use a lightweight JWT shared cookie readable by EDS JavaScript client-side — never share the full AEM session cookie.
Ask a question in the Ask AI tab for more details on any topic.
Local Q&A — zero API cost — aemrules.com

 

Security Headers & Cookie Management in Hybrid AEM CDN Setup on AWS CloudFront

Introduction

When running a hybrid AEM setup with EDS and AMS behind a single AWS CloudFront distribution, security is more complex than a single-origin setup. You have two origins — each setting their own response headers, each with different cookie behaviour — and you need to present a consistent, secure experience to the end user regardless of which origin served the page.

Get this wrong and you end up with:

  • Inconsistent Content Security Policy (CSP) headers across EDS and AMS pages
  • AMS session cookies accidentally forwarded to EDS origin — destroying cache efficiency
  • Security headers set by AMS Dispatcher conflicting with headers set by CloudFront
  • Users losing their authenticated session when navigating from AMS pages to EDS pages

This post covers how to handle security headers and cookies correctly at the CDN layer.

The Fundamental Rule: Enforce Security Headers at CloudFront, Not at Origins

The biggest mistake teams make is trying to configure security headers independently on both origins:

  • Security headers set in Apache httpd.conf on AMS Dispatcher
  • Different or missing security headers on EDS (which has no Apache layer)

The result is inconsistent headers — the same CSP policy applies on /products/* but is missing or different on /blog/*.

The correct approach: enforce all security headers at CloudFront using a CloudFront Response Headers Policy. Strip security headers from both origins and let CloudFront be the single source of truth.

Both origins → CloudFront strips origin security headers
             → CloudFront Response Headers Policy applies
             → Consistent headers sent to every user
             regardless of which origin served the page

         

Security Headers to Manage at CloudFront Level

1. Content Security Policy (CSP)

CSP is the most complex header to manage in hybrid setups because EDS and AMS may load different third-party scripts, fonts, and assets.

The challenge:

  • AMS pages may load Adobe Analytics, Target, or other scripts
  • EDS pages may load Google Fonts, third-party embeds
  • A single CSP policy must cover both without being so permissive it becomes useless

Recommended approach:

Build a unified CSP that is a superset of what both origins need, and apply it at CloudFront level. In plain English:

Allowed script sources:
  - Your own domain (self)
  - Adobe Analytics / Launch domains
  - Google Tag Manager
  - Any third-party scripts used on either EDS or AMS pages

Allowed connect sources:
  - Your API endpoints
  - Adobe Experience Cloud domains
  - EDS hlx.live domain (if EDS fetches resources from hlx.live)

Block:
  - inline scripts (use nonces or hashes where needed)
  - object-src (always block Flash/plugins)
  - frame-src (whitelist only trusted embed domains)

Apply this as a CloudFront Response Headers Policy — it appends the CSP header to every response regardless of origin.

2. HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always use HTTPS for your domain. This must be consistent across all paths.

Set this at CloudFront level only:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Remove it from AMS Apache/Dispatcher config entirely — if both set it, you get duplicate headers which some browsers reject.

3. X-Frame-Options and CSP frame-ancestors

Used to prevent clickjacking. Must be identical across EDS and AMS pages or the browser will behave inconsistently.

Set at CloudFront level:

X-Frame-Options: SAMEORIGIN

Or in modern setups, use CSP frame-ancestors directive instead (more flexible, replaces X-Frame-Options).

4. X-Content-Type-Options and Referrer-Policy

These are simple, consistent, and should be set once at CloudFront:

X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Cookie Management — The Most Critical Part

Cookies are where hybrid setups most commonly break. AMS is a stateful system that relies heavily on cookies. EDS is completely stateless. CloudFront sits between them and must make intelligent decisions about which cookies to forward to which origin.

The Problem in Plain English

Imagine a user logs into an AMS page (/products/checkout). AEM sets a session cookie:

login-token=abc123xyz

That cookie now lives in the user's browser. When they navigate to an EDS page (/blog/latest), their browser sends the same cookie with the request to CloudFront.

If CloudFront forwards that cookie to the EDS origin:

  • EDS ignores it (EDS is stateless and doesn't use cookies)
  • But the cookie is now part of the CloudFront cache key
  • Every authenticated user gets a different cache entry for the same EDS page
  • Your CloudFront cache hit rate for EDS drops to near zero
  • You are effectively serving EDS pages uncached — defeating the entire purpose of EDS

The Solution — Cookie Policies Per Cache Behaviour

In CloudFront you can define different cookie forwarding rules per path pattern.

For EDS paths — strip all cookies:

Cache Behaviour: /blog/*
Cookie forwarding: None
→ All cookies stripped before forwarding to EDS origin
→ Cache key is clean — all users share the same cache entry
→ EDS gets maximum cache efficiency

For AMS authenticated paths — forward specific cookies:

Cache Behaviour: /account/*  /checkout/*
Cookie forwarding: Whitelist
Forward only: login-token, JSESSIONID
→ AMS gets the cookies it needs for authentication
→ Cache is bypassed for these paths (or keyed by cookie value)

For AMS general content paths — forward no cookies:

Cache Behaviour: /products/*  /services/*
Cookie forwarding: None
→ AMS Dispatcher serves cached pages
→ No personalisation required on these paths
→ Maximum cache efficiency

SSO Across Origins — When a User Navigates Between EDS and AMS Pages

A common requirement: user logs in on an AMS page, then navigates to an EDS page. The EDS page should recognise the user is authenticated (e.g. show a personalised navigation).

The challenge: EDS cannot read AEM session cookies directly. It has no server-side session concept.

Recommended approach — JWT in a shared cookie:

User logs in on AMS (/account/login)
  ↓
AEM sets a lightweight JWT cookie (not the full session cookie):
  user-context=eyJuYW1lIjoiQW51aiJ9
  Domain: .example.com  ← shared across all subpaths
  HttpOnly: false        ← so EDS JavaScript can read it
  SameSite: Lax
  ↓
User navigates to EDS page (/blog/latest)
  ↓
EDS JavaScript reads user-context cookie
  ↓
Renders personalised navigation (Hello, Anuj)

This approach keeps the heavy AEM session cookie (login-token) server-side only while sharing a lightweight user context token that EDS JavaScript can use for UI personalisation.

CloudFront must be configured to:

  • Not forward user-context to EDS origin (EDS doesn't need it at origin — it's handled client-side)
  • Not include user-context in the EDS cache key (otherwise every user gets a unique cache entry)

Duplicate Header Problem — Stripping Origin Headers at CloudFront

Both AMS Dispatcher (Apache) and CloudFront can set the same security headers. If both set them, the user's browser receives duplicate headers — which can cause unexpected behaviour or browser rejections.

Solution — strip security headers at the origin before CloudFront adds them:

On AMS Apache/Dispatcher, remove these headers from httpd.conf:

# Remove these — CloudFront will set them
# Header always set Strict-Transport-Security ...
# Header always set X-Frame-Options ...
# Header always set Content-Security-Policy ...
# Header always set X-Content-Type-Options ...

On EDS — EDS does not have an Apache layer, so there is nothing to strip. CloudFront simply adds the headers on top of the EDS response.

Summary — What Goes Where

Header / Cookie Managed at Reason
CSP CloudFront Response Headers Policy Single unified policy for both origins
HSTS CloudFront Response Headers Policy Must be consistent, no duplicates
X-Frame-Options CloudFront Response Headers Policy Consistent clickjacking protection
X-Content-Type-Options CloudFront Response Headers Policy Simple, consistent
AMS session cookies (login-token) Forward to AMS paths only AMS needs them, EDS does not
EDS paths cookie forwarding Strip all cookies Protect EDS cache efficiency
User context JWT Client-side only (not forwarded) Shared identity signal for EDS JS

Key Takeaways

  • Never manage security headers independently on both origins — set them once at CloudFront and strip them from AMS Apache config entirely.
  • The CSP policy must be a superset of both EDS and AMS requirements — a single policy that covers all scripts, fonts, and connections used by either origin.
  • Cookie forwarding rules are the most critical configuration in hybrid setups — wrong cookie policies destroy EDS cache efficiency and can break AMS authentication.
  • Use a lightweight JWT shared cookie (not the full AEM session cookie) for SSO signals between AMS and EDS pages — EDS reads it client-side without needing it at origin.
  • Always use path-scoped cookie policies in CloudFront — EDS paths strip all cookies, AMS authenticated paths whitelist only what is needed.

Published on aemrules.com | Tags: AEM, EDS, AMS, CloudFront, Security Headers, CSP, Cookies, SSO, Hybrid AEM, CDN

Comments

Post a Comment

Popular Posts

Configure/Decoding AEM AuditLogs

-
Image
AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM. Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom. This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.  This article covers the following - How can we enable Audit logs in AEM. How can we read and understand the Audit logs/ tools to use it. Audit log on file system in crx-quickstart/logs folder.   Audit logs for User creation / Modification. How can you archive/purge the audit logs. How can we enable Audit logs in AEM?            By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...
Read more

How to Increase Apache Request Per Second ?

-
Image
How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apach...
Read more

AdobeDispatcherHacks ".statfile"

-
Image
AEM DISPATCHER STATFILE UNDERSTANDING & CACHE INVALIDATION:- AEM Developers, Infrastructure Engineers regularly come across a challenge on decoding the statfile and using it efficiently especially statfile becomes highly relevant in a multi-tenanted environment with different project teams controlling different sites. The article addresses in a simple way on how to understand the mechanisms of stat file and gives a detailed explanation of how it can be used in a multi-tenant environment model.  The image for your reference as a quick overview of the data flow, before we take a deep dive.  This article covers - 1 - When dispatcher serves the old version of the content. How to avoid it. 2- Cache invalidation mechanism. Assumption - If you are reading this article, I believe you would have a basic understanding of Dispatcher and it's configuration. Firstly let’s set the initial configuration for the cache invalidation section ...
Read more

how to clear dispatcher cache in aem ?

-
Image
How to clear dispatcher cache in aem ? As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.   This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache. Clear Cache using the Dispatcher Flush Agent You can use the Dispatcher Flush Agent. Follow these steps:   Log in to your AEM instance and navigate to http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush" agent to open the agent's configuration page. Clic...
Read more

How Does S3 works with AEM ?

-
Image
How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/...
Read more

AEM Security Headers

-
Image
Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">               ...
Read more

How to Sync HMAC in AEM ?

-
Image
Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL...
Read more

OakAccess0000: Access denied

-
Image
ERROR :-   OakAccess0000: Access denied We often observe while doing the AEM development or in live running environment we get the error code  OakAccess0000 , especially while running a workflow or any asset upload. This issue disrupts normal operation. As content authors are unable to perform essential task like uploading or managing content, leading to business impact.   This impact the business as content author are unable to upload any content.  Error stack trace :- Javax.jcr.AccessDeniedException: OakAccess0000: Access denied  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:232) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:669) [org.apache...
Read more

AEM ACL and how they are evaluated

-
Image
ACL's and how they are evaluated ? AEM Developers, Infrastructure Engineers / Dev-ops teams working in any domain regularly come across a challenge for understanding the ACL & its evaluation mechanism.  Adobe Experience Manager is designed to cater for content authoring of multiple sites by multiple content authors. Naturally, this process needs to be controlled by strict Access Control Lists (ACLs) to manage. AEM WCM uses Access Control Lists (ACLs) to organise the permissions being applied to the various pages. This article addresses in a simple way on how to understand the ACL's , its different ways,  This article covers the following - How can we read and understand the ACL.  Evaluation of user permissions.  Concurrent Permission on ACL Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration...
Read more

Dispatcher flush from AEM UI

-
Image
How to Delete Dispatcher cache without logging into the Dispatcher servers? Our Authoring team faces day to day challenges while deleting/flush the dispatcher cache. when the changes are not visible on server. They have to be depended on the IT operations/Dev ops teams to do the same. Which some time get very much time consuming for a small work.  In this article we will see it can be configure and used by Author UI itself.  This will allow  AEM authors (or “super authors”) to flush parts of the dispatcher cache manually without the involvement of IT Operations. How to Use 1. Log in to AEM Author 2. Download the ACS commons tool from  ACS Commons Official page 3. Install the downloaded package via aem package manager.   4. Make sure you create the dispatcher flush agents on Author for all Dispatchers. from http://<<host:port>>/miscadmin#/etc/replication/agents.author, check the NOTE's part at the end of page. 5. Navigate to Tools 6. Under the ac...
Read more