Rules of AEM

Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks. Implement CSRF protection in AEM: The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration. This property specifies which HTTP methods are allowed to execute without requiring a CSRF token. Implement CSRF protection in Disp

How to Configure CSP header in AEM ? Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by restricting the sources from which a page can load resources. To implement a CSP header in an Apache web server, you can use the Header directive in your Apache configuration. Here are the steps to implement a CSP header in Apache: Determine your CSP policy: First, you need to determine your CSP policy. This policy defines the rules for what types of content can be loaded from which sources. You can use a CSP policy generator like the one available on the Mozilla Developer Network (MDN) website to generate a policy that meets your needs. Add the CSP header to your Apache configuration: Once you have your CSP policy, you can add the CSP header to your Apache configuration. To do this, open your Apache configuration file (usually located at /etc/httpd/conf/httpd.conf or a similar location depending on your setup) and

 Adobe Experience Manager (AEM) is a popular content management system that is widely used by businesses to manage and publish digital content. With the increasing amount of sensitive data being stored and shared online, it's important for AEM users to be aware of the security features that the platform offers. In this blog, we'll discuss some of the key security features of AEM and provide tips for keeping your AEM instance secure. Authentication and Authorization AEM provides several options for authentication and authorization. Users can log in using their credentials, which can be verified using LDAP or other external identity providers. Once authenticated, users are assigned roles and permissions, which determine what actions they can perform within AEM. To keep your AEM instance secure, it's important to ensure that users only have the permissions they need to perform their jobs. For example, if a user doesn't need to publish content, they should not be given perm

 HTTP/3: The Next Generation of Web Communications The Internet has come a long way since the introduction of the first version of the Hypertext Transfer Protocol (HTTP) in 1991. The evolution of the web has led to the development of new technologies, with the most recent being HTTP/3, the third version of the HTTP protocol. In this blog, we will discuss what HTTP/3 is, its benefits, and how it differs from previous versions of the HTTP protocol. What is HTTP/3? HTTP/3 is the third version of the HTTP protocol and is designed to be a faster and more efficient way of transmitting data over the Internet. HTTP/3 was developed as a response to the growing demands of modern web applications, which require fast and reliable data transfer to provide users with a seamless experience. HTTP/3 is based on the QUIC protocol, which is a new transport layer protocol designed for the Internet. QUIC is designed to provide low latency, high security, and high performance for the Internet, making it an

HTTP Smuggling is a technique used by attackers to inject malicious requests into a web application. This can cause significant security risks and data breaches if not addressed properly. In this blog, we will discuss what HTTP Smuggling is, how it can be exploited, and the solution to prevent it in Adobe Experience Manager (AEM). What is HTTP Smuggling? HTTP Smuggling is a technique where attackers can manipulate the HTTP requests sent to a web server to bypass security mechanisms. The attacker can manipulate the request in a way that makes it look like a legitimate request to the server, but in reality, it is carrying malicious payloads. This technique is particularly dangerous because it can be used to bypass firewalls, intrusion detection systems, and web application firewalls (WAFs). How can HTTP Smuggling be Exploited in AEM? AEM is a popular web content management system used by organizations worldwide. As with any web application, AEM is vulnerable to HTTP Smuggling attacks if

  AEM - LDAP Integration LDAP (the   L ightweight   D irectory   A ccess   P rotocol) is used for accessing centralised directory services.  You can achieve below vital things with LDAP integration The User accounts can be synchronised between LDAP server and the AEM repository.  The AEM uses LDAP authentication  to authenticate users, with credentials being passed to the LDAP server for validation.  To improve performance, successfully validated credentials can be cached by repository, with an expire timeout. This helps reduce the effort required to manage user accounts as they can be accessed by the multiple applications.  When a user/account is removed from LDAP server validation is no longer granted & access to the AEM is denied.  The following are the AEM steps for integrating the LDAP and using it as your Single Sign On (SSO) source of truth for authenticating AEM Users. In order to have LDAP working with AEM, you need to create three OSGi configurations: An LDAP Identity Pro

How to Use Crypto Support in AEM to Encrypt/Decrypt Data? While working with AEM, The AEM dev-ops / developer team sometimes have a requirements to call third-party APIs/Services. Configurations related to these APIs/Services like username, passwords, client id/secrets, API keys are usually stored in a code repository in the form of OSGi configuration. This sensitive information should be stored encrypted rather than plain-text format. This is possible through the OOTB AEM Crypto Support bundle. This bundle provides services for encrypting and decrypting the confidential/secured data through system-wide keys (hmac and master files).   What are the Features of Crypto Support? Decryption happens at runtime. No one can decrypt the data through the UI. There’s no UI to decrypt the encrypted data. So, the information remains secure. What are hmac/master keys? Encryption/decryption happens through keys (hmac and master files). These keys get generated during the first startup of AEM instance

Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL and