The Dispatcher Security Checklist

Last update: May 28, 2024

CREATED FOR:

  • Admin

Adobe recommends that you complete the following checklist before going on production.

CAUTION
Complete the Security Checklist of your version of AEM before going live. See the corresponding Adobe Experience Manager documentation.

Use the Latest Version of Dispatcher

Install the latest available version that is available for your platform. Upgrade your Dispatcher instance to use the latest version to take advantage of product and security enhancements. See Installing Dispatcher.

NOTE
You can check the current version of your Dispatcher installation by looking at the Dispatcher log file.
[Thu Apr 30 17:30:49 2015] [I] [23171(140735307338496)] Dispatcher initialized (build 4.1.9)
To find the log file, inspect the Dispatcher configuration in your httpd.conf.

Restrict Clients that Can Flush Your Cache

Adobe recommends that you limit the clients that can flush your cache.

Enable the HTTPS for transport layer security

Adobe recommends enabling the HTTPS transport layer on both author and publishing instances.

Restrict Access

When configuring the Dispatcher, restrict external access as much as possible. See Example /filter Section in the Dispatcher documentation.

Make Sure Access to Administrative URLs is Denied

Make sure you use filters to block external access to any administrative URLs, such as the Web Console.

See Testing Dispatcher Security for a list of URLs that must be blocked.

Use Allowlists Instead Of Blocklists

Allowlists are a better way of providing access control since inherently, they assume that all access requests should be denied unless they are explicitly part of the allowlist. This model provides more restrictive control over new requests that might not have been reviewed yet or considered during a certain configuration stage.

Run Dispatcher with a Dedicated System User

When configuring the Dispatcher, ensure that the web server is ran by a dedicated user with least privileges. It is recommended that you only grant write access to the Dispatcher cache folder.

Also, IIS users must configure their website as follows:

  1. In the physical path setting for your web site, select Connect as a specific user.
  2. Set the user.

Prevent Denial of Service (DoS) Attacks

A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users.

At the Dispatcher level, there are two methods of configuring to prevent DoS attacks: Filters

  • Use the mod_rewrite module (for example, Apache 2.4) to perform URL validations (if the URL pattern rules are not too complex).

  • Prevent the Dispatcher from caching URLs with spurious extensions by using filters.
    For example, change the caching rules to limit caching to the expected mime types, such as:

    • .html
    • .jpg
    • .gif
    • .swf
    • .js
    • .doc
    • .pdf
    • .ppt

    An example configuration file can be seen for restricting external access. It includes restrictions for mime types.

To enable full functionality on the publish instances, configure filters to prevent access to the following nodes:

  • /etc/
  • /libs/

Then, configure filters to allow access to the following node paths:

  • /etc/designs/*

  • /etc/clientlibs/*

  • /etc/segmentation.segment.js

  • /libs/cq/personalization/components/clickstreamcloud/content/config.json

  • /libs/wcm/stats/tracker.js

  • /libs/cq/personalization/* (JS, CSS, and JSON)

  • /libs/cq/security/userinfo.json (CQ user information)

  • /libs/granite/security/currentuser.json (data must not be cached)

  • /libs/cq/i18n/* (Internalization)

Configure Dispatcher to prevent CSRF Attacks

AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks. To make proper use of this framework, allowlist CSRF token support in the Dispatcher by doing the following:

  1. Creating a filter to allow the /libs/granite/csrf/token.json path;
  2. Add the CSRF-Token header to the clientheaders section of the Dispatcher configuration.

Prevent Clickjacking

To prevent clickjacking, Adobe recommends that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.

For more information on clickjacking, see the OWASP site.

Perform a Penetration Test

Adobe strongly recommends performing a penetration test of your AEM infrastructure before going on production.

Experience Manager


The Perfect Blend: A New Era of Collaboration with AEM and Workfront

Adobe Customer Success Webinars

Wednesday, Apr 2, 5:00 PM UTC

Explore how Adobe Experience Manager and Workfront integrate to help teams move from ideation to delivery without the usual bottlenecks, ensuring content is organized, on-brand, and ready to go live faster.

Register

Elevate and Empower Teams with Agentic AI for Exceptional Experiences

Online | Strategy Keynote | General Audience

Elevate and empower your CX teams with AI that transforms creativity, personalization, and productivity. Discover how Adobe is...

Tue, Mar 18, 1:00 PM PDT (8:00 PM UTC)

Register

Unlocking Content at Scale with Havas POP and Adobe GenStudio

In-person | Session | General Audience

In today’s fast-paced market, a brand's relevance is directly linked to its latest content. With a network of over 23,000 professionals...

Tue, Mar 18, 4:00 PM PDT (11:00 PM UTC)

Register

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more

Register now