AEM Security Headers
Added Security in AEM via Headers:-
In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.
In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content. I have used Apache webserver for all the examples.
This article covers -
1 - X-XSS protection
2 - HTTP Strick Transport Security
3 - X-Frame Option
4 - Content Security
1- X-XSS Protection:-
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks. Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.
<IfModule mod_headers.c> <FilesMatch "\.(htm|html)$"> #Force XSS (should be on by default in most browsers anyway) Header always set X-XSS-Protection "1; mode=block" </FilesMatch></IfModule>
There are four possible options/parameters you can provide to this header while configuring it
Option 1 - Set to "0" this means your XSS filter disabled.Option 2 - Set to "1" this means XSS filter enabled & sanitized the page if attack detected.Option 3 - Set to "1;mode=block" this means XSS filter enabled & prevented rendering the page if attack detected. Option 4 - Set to "1;report=http://mywebsite.com/report_URI XSS" filter enabled and reported the violation if attack detected.
2. HTTP Strict:-
Transport Security - HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.
Note:- For any kind of managed service user this might not be applicable as they use the other security layers and terminate the SSL before requests reach to AEM.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
3. X-Frame-Options:-
Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. <IfModule mod_headers.c> Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame Options}!='SAMEORIGIN'" </IfModule>
Note: Put X-XSS Protection and X-Frame-Options in <IfModule mod_headers.c>
4. Content Security Policy:-
Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. The idea of this is that you can define all the third party domains from where you want to load anything on your website. So if an attacker injects anything from www.attacker.com and this domain is not in the list of content security policy, then those requests will not load on a page and you can see exceptions in the console.
In the below example, you need to use your website domain in place of mywebsite.com.
Header always set content-security-policy "script-src blob: data: 'unsafe-inline' 'unsafe-eval' 'self' mywebsite.com https://www.abc.com https://any.site.com https://any.api.com"
Summary:-
With the help of these security headers you can add an extra layer of the security to you AEM publish servers/application. These headers are easy to implement and simple to configure in your Apache webserver. To find more about your publish AEM security and its loopholes, you can use the AEM hacker toolsets to identify application security. [0][0] https://github.com/0ang3el/aem-hacker
References:-
https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/getting-started/security-checklist.htmlhttps://techinpieces.com/how-to-add-custom-headers-to-dispatcher/https://helpx.adobe.com/in/experience-manager/6-3/sites/administering/using/security-checklist.html
1- X-XSS Protection:-
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.
Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.
<IfModule mod_headers.c>
<FilesMatch "\.(htm|html)$">
#Force XSS (should be on by default in most browsers anyway)
Header always set X-XSS-Protection "1; mode=block"
</FilesMatch>
</IfModule>
There are four possible options/parameters you can provide to this header while configuring it
Option 1 - Set to "0" this means your XSS filter disabled.
Option 2 - Set to "1" this means XSS filter enabled & sanitized the page if attack detected.
Option 3 - Set to "1;mode=block" this means XSS filter enabled & prevented rendering the page if attack detected.
Option 4 - Set to "1;report=http://mywebsite.com/report_URI XSS" filter enabled and reported the violation if attack detected.
2. HTTP Strict:-
Transport Security - HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.
Note:- For any kind of managed service user this might not be applicable as they use the other security layers and terminate the SSL before requests reach to AEM.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
3. X-Frame-Options:-
Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe.
<IfModule mod_headers.c>
Header merge X-Frame-Options SAMEORIGIN
"expr=%{resp:X-Frame Options}!='SAMEORIGIN'"
</IfModule>
Note: Put X-XSS Protection and X-Frame-Options in <IfModule mod_headers.c>
4. Content Security Policy:-
Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. The idea of this is that you can define all the third party domains from where you want to load anything on your website. So if an attacker injects anything from www.attacker.com and this domain is not in the list of content security policy, then those requests will not load on a page and you can see exceptions in the console.
In the below example, you need to use your website domain in place of mywebsite.com.
Header always set content-security-policy "script-src blob: data: 'unsafe-inline' 'unsafe-eval' 'self' mywebsite.com https://www.abc.com https://any.site.com https://any.api.com"
Summary:-
With the help of these security headers you can add an extra layer of the security to you AEM publish servers/application. These headers are easy to implement and simple to configure in your Apache webserver. To find more about your publish AEM security and its loopholes, you can use the AEM hacker toolsets to identify application security. [0]
[0] https://github.com/0ang3el/aem-hacker
References:-
https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/getting-started/security-checklist.html
https://techinpieces.com/how-to-add-custom-headers-to-dispatcher/
https://helpx.adobe.com/in/experience-manager/6-3/sites/administering/using/security-checklist.html
Comments
Post a Comment