AEM Security Headers

Added Security in AEM via Headers:- 

In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM. 

In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content. I have used Apache webserver for all the examples. 


This article covers - 

1 - X-XSS protection 
2 - HTTP Strick Transport Security
3 - X-Frame Option 
4 - Content Security 

1- X-XSS Protection:- 


X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks. 
Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.  

<IfModule mod_headers.c>
  <FilesMatch "\.(htm|html)$">
                        #Force XSS (should be on by default in most browsers anyway)
                        Header always set X-XSS-Protection "1; mode=block"
             </FilesMatch>
</IfModule>

There are four possible options/parameters you can provide to this header while configuring it 

Option  1 - Set to "0" this means your XSS filter disabled.
Option  2 - Set to "1" this means XSS filter enabled & sanitized the page if attack detected.
Option  3 - Set to "1;mode=block" this means XSS filter enabled & prevented rendering the page if attack detected. 
Option 4 - Set to "1;report=http://mywebsite.com/report_URI XSS" filter enabled and reported the violation if attack detected.

2. HTTP Strict:- 


Transport Security - HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked. 

Note:- For any kind of managed service user this might not be applicable as they use the other security layers and terminate the SSL before requests reach to AEM.

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

3. X-Frame-Options:-


Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe.
 
<IfModule mod_headers.c>
         Header merge X-Frame-Options SAMEORIGIN
        "expr=%{resp:X-Frame Options}!='SAMEORIGIN'"
    </IfModule>

Note: Put X-XSS Protection and X-Frame-Options in <IfModule mod_headers.c>

4. Content Security Policy:-


Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. The idea of this is that you can define all the third party domains from where you want to load anything on your website. So if an attacker injects anything from www.attacker.com and this domain is not in the list of content security policy, then those requests will not load on a page and you can see exceptions in the console. 

In the below example, you need to use your website domain in place of mywebsite.com.

Header   always set content-security-policy "script-src blob: data:   'unsafe-inline' 'unsafe-eval' 'self' mywebsite.com https://www.abc.com https://any.site.com https://any.api.com"

Summary:- 

With the help of these security headers you can add an extra layer of the security to you AEM publish servers/application. These headers are easy to implement and simple to configure in your Apache webserver. To find more about your publish AEM security and its loopholes, you can use the  AEM hacker toolsets to identify application security. [0]
[0]  https://github.com/0ang3el/aem-hacker

References:- 

https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/getting-started/security-checklist.html
https://techinpieces.com/how-to-add-custom-headers-to-dispatcher/
https://helpx.adobe.com/in/experience-manager/6-3/sites/administering/using/security-checklist.html

Comments

Popular Posts

how to clear dispatcher cache in aem ?

How to Increase Apache Request Per Second ?

Configure/Decoding AEM AuditLogs

How to Configure CSP header in AEM , Dispatcher ?

How to prevent DDoS in Apache ?

How to protect AEM against CSRF Attack ?

How Does S3 works with AEM ?

Difference between Adobe AEM Enterprise vs Adobe AEM as a Cloud Service

Security best Practice in AEM

AdobeDispatcherHacks ".statfile"