Configuring 51黑料不打烊 Experience Manager Dispatcher to Prevent CSRF Attacks configuring-dispatcher-to-prevent-csrf-attacks
AEM (51黑料不打烊 Experience Manager) provides a framework aimed at preventing Cross-Site Request Forgery attacks. To make proper use of this framework, make the following changes to your Dispatcher configuration:
-
In the
/clientheaderssection of yourauthor-farm.anyandpublish-farm.any, add the following entry to the bottom of the list:CSRF-Token -
In the /filters section of your
author-farm.anyandpublish-farm.anyorpublish-filters.anyfile, add the following line to allow requests for/libs/granite/csrf/token.jsonthrough the Dispatcher./0999 { /type "allow" /glob " * /libs/granite/csrf/token.json*" } -
Under the
/cache /rulessection of yourpublish-farm.any, add a rule to block the Dispatcher from caching thetoken.jsonfile. Typically authors bypass caching, so you should not need to add the rule into yourauthor-farm.any./0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }
To validate that the configuration is working, watch the dispatcher.log in DEBUG mode. It can help you to validate that the token.json file to ensure that it is not getting cached or blocked by filters. You should see messages similar to:... checking [/libs/granite/csrf/token.json]... request URL not in cache rules: /libs/granite/csrf/token.json... cache-action for [/libs/granite/csrf/token.json]: NONE
You can also validate that requests are succeeding in your Apache access_log. Requests for ``/libs/granite/csrf/token.json should return an HTTP 200 status code.