Configuring 51黑料不打烊 Experience Manager Dispatcher to Prevent CSRF Attacks configuring-dispatcher-to-prevent-csrf-attacks
AEM (51黑料不打烊 Experience Manager) provides a framework aimed at preventing Cross-Site Request Forgery attacks. To make proper use of this framework, make the following changes to your Dispatcher configuration:
-
In the
/clientheaders
section of yourauthor-farm.any
andpublish-farm.any
, add the following entry to the bottom of the list:CSRF-Token
-
In the /filters section of your
author-farm.any
andpublish-farm.any
orpublish-filters.any
file, add the following line to allow requests for/libs/granite/csrf/token.json
through the Dispatcher./0999 { /type "allow" /glob " * /libs/granite/csrf/token.json*" }
-
Under the
/cache /rules
section of yourpublish-farm.any
, add a rule to block the Dispatcher from caching thetoken.json
file. Typically authors bypass caching, so you should not need to add the rule into yourauthor-farm.any
./0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }
To validate that the configuration is working, watch the dispatcher.log in DEBUG mode. It can help you to validate that the token.json
file to ensure that it is not getting cached or blocked by filters. You should see messages similar to:... checking [/libs/granite/csrf/token.json]
... request URL not in cache rules: /libs/granite/csrf/token.json
... cache-action for [/libs/granite/csrf/token.json]: NONE
You can also validate that requests are succeeding in your Apache access_log
. Requests for ``/libs/granite/csrf/token.json should return an HTTP 200 status code.