Wednesday, January 8, 2020

Major Vulnerabilities and Security Issues in AEM

Hello Everyone,

While working with AEM, There are many security concerns which we need to take care at Apache level to stop the attacker by attacking the website.
There are few security Headers which are required to provide security in the Apache level.

1. X-XSS Protection: X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.
<IfModule mod_headers.c>
<FilesMatch "\.(htm|html)$">
                        #Force XSS (should be on by default in most browsers anyway)
                        Header always set X-XSS-Protection "1; mode=block"

There are four possible ways you can configure this header.
0: XSS filter disabled 1: XSS filter enabled and sanitized the page if attack detected 1;mode=block XSS filter enabled and prevented rendering the page if attack detected 1;report= XSS filter enabled and reported the violation if attack detected
Note:We will use 1:mode=block to implement this security.This need to be put in publish.vhost files for every domain.

2. HTTP Strict Transport Security:HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Note: AMS Users can just uncomment it base_rewrite_rules file.Enable it only if the server is on HTTPS.

3. X-Frame-Options: Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe.
<IfModule mod_headers.c>
         Header merge X-Frame-Options SAMEORIGIN
Note: Put X-XSS Protection and X-Frame-Options in <IfModule mod_headers.c>.

4. Content Security Policy: Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response.The idea of this is that you can define all the third party domains from where you want to load anything on your website. So if attacker inject anything from and this domain is not in the list of content security policy, then those requests will not load on a page and you can see exceptions in the console.

In the below example, you need to use your website domain in place of
Header always set content-security-policy "script-src blob: data: 'unsafe-inline'
'unsafe-eval' 'self'"

Note: To implement this security, if anytime you want to load and use any third party libraries, you always need to add the domain in this configuration.

Hope it will help you guys !!
Thanks and Happy Learning.


  1. Awesome tricks, veryuseful.. Thanks For sharing

  2. Hi, can you plz write event handler and event listeners topics in aem