March 29, 2020
Estimated Post Reading Time ~

What are the major Vulnerabilities and Security Issues in AEM

While working with AEM, There are many security concerns which we need to take care of at the Apache level to stop the attacker by attacking the website.

There are few security Headers that are required to provide security at the Apache level.

1. X-XSS Protection: X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.

<IfModule mod_headers.c>
<FilesMatch "\.(htm|html)$">
#Force XSS (should be on by default in most browsers anyway)
Header always set X-XSS-Protection "1; mode=block"
</FilesMatch>
</IfModule>


There are four possible ways you can configure this header.
0: XSS filter disabled 1: XSS filter enabled and sanitized the page if attack detected 1;mode=block XSS filter enabled and prevented rendering the page if attack detected 1;report=http://example.com/report_URI XSS filter enabled and reported the violation if attack detected

Note:
We will use 1:mode=block to implement this security. This needs to be put in publishing. vhost files for every domain.

2. HTTP Strict Transport Security: HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS. Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.

Header always set Strict-Transport-Security
"max-age=63072000; includeSubdomains;"


Note: AMS Users can just uncomment it base_rewrite_rules file. Enable it only if the server is on HTTPS.

3. X-Frame-Options: Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe.

<IfModule mod_headers.c>
Header merge X-Frame-Options SAMEORIGIN
"expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
</IfModule>

Note: Put X-XSS Protection and X-Frame-Options in <IfModule mod_headers.c>.

4. Content Security Policy: Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response.The idea of this is that you can define all the third party domains from where you want to load anything on your website. So if an attacker injects anything from www.attacker.com and this domain is not in the list of content security policy, then those requests will not load on a page and you can see exceptions in the console.

In the below example, you need to use your website domain in place of we-retail.com.

Header always set content-security-policy "script-src blob: data: 'unsafe-inline'
'unsafe-eval' 'self' we-retail.com https://www.facebook.com https://www.google-analytics.com https://assets.adobedtm.com"

Note: To implement this security, if anytime you want to load and use any third-party libraries, you always need to add the domain in this configuration.


By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.