Posts

Showing posts matching the search for Security

AEM Security Headers

Image
Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">               ...

HTTP Smuggling in AEM , How to prevent it ?

Image
Protecting Adobe Experience Manager from HTTP Smuggling Attacks HTTP Smuggling is a technique used by attackers to inject malicious requests into a web application. This can cause significant security risks and data breaches if not addressed properly. In this blog, we will discuss what HTTP Smuggling is, how it can be exploited, and the solution to prevent it in Adobe Experience Manager (AEM). What is HTTP Smuggling? HTTP Smuggling is a technique where attackers can manipulate the HTTP requests sent to a web server to bypass security mechanisms. The attacker can manipulate the request in a way that makes it look like a legitimate request to the server, but in reality, it is carrying malicious payloads. This technique is particularly dangerous because it can be used to bypass firewalls, intrusion detection systems, and web application firewalls (WAFs). How can HTTP Smuggling be Exploited in AEM? AEM is a popular web content management system used by organizations worldwide. As with any ...

Security best Practice in AEM

Image
 Adobe Experience Manager (AEM) is a popular content management system that is widely used by businesses to manage and publish digital content. With the increasing amount of sensitive data being stored and shared online, it's important for AEM users to be aware of the security features that the platform offers. In this blog, we'll discuss some of the key security features of AEM and provide tips for keeping your AEM instance secure. Authentication and Authorization AEM provides several options for authentication and authorization. Users can log in using their credentials, which can be verified using LDAP or other external identity providers. Once authenticated, users are assigned roles and permissions, which determine what actions they can perform within AEM. To keep your AEM instance secure, it's important to ensure that users only have the permissions they need to perform their jobs. For example, if a user doesn't need to publish content, they should not be given perm...

Configure/Decoding AEM AuditLogs

Image
AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM. Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom. This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.  This article covers the following - How can we enable Audit logs in AEM. How can we read and understand the Audit logs/ tools to use it. Audit log on file system in crx-quickstart/logs folder.   Audit logs for User creation / Modification. How can you archive/purge the audit logs. How can we enable Audit logs in AEM?            By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...

How to Configure CSP header in AEM , Dispatcher ?

Image
How to Configure CSP header in AEM ? Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by restricting the sources from which a page can load resources. To implement a CSP header in an Apache web server, you can use the Header directive in your Apache configuration. Here are the steps to implement a CSP header in Apache: Determine your CSP policy: First, you need to determine your CSP policy. This policy defines the rules for what types of content can be loaded from which sources. You can use a CSP policy generator like the one available on the Mozilla Developer Network (MDN) website to generate a policy that meets your needs. Add the CSP header to your Apache configuration: Once you have your CSP policy, you can add the CSP header to your Apache configuration. To do this, open your Apache configuration file (usually located at /etc/httpd/conf/httpd.conf or a similar location depending on your setup) and ...

HTTP/3 Explained: Faster, Safer Internet Protocol

Image
 HTTP/3: The Next Generation of Web Communications The Internet has come a long way since the introduction of the first version of the Hypertext Transfer Protocol (HTTP) in 1991. The evolution of the web has led to the development of new technologies, with the most recent being  HTTP/3 protocol , the third version of the HTTP protocol. In this blog, we will discuss what HTTP/3 is, its benefits, and how it differs from previous versions of the HTTP protocol.  HTTP/3 protocol provide several  benefits , improving web performance with low latency and enhanced security This blog will help you learn -  What Is HTTP/3? Benefits of HTTP/3 HTTP/3 vs HTTP/2: Key Differences Why HTTP/3 Matters for Developers and Users Final Thoughts on HTTP/3 What is HTTP/3? HTTP/3 is the third version of the HTTP protocol and is designed to be a faster and more efficient way of transmitting data over the Internet. HTTP/3 was developed as a response to the growing demands of modern web ...

How to protect AEM against CSRF Attack ?

Image
How to protect AEM against CSRF Attack ? Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks.   Implement CSRF protection in AEM:   The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration.  Navigate to the OSGi Web Console (/system/console/configMgr). Search for Apache Sling Refe...