Run AEM in production ready mode. i.e. set run mode nosamplecontent.
- Webdav is enabled for author but disabled for publisher
- Mapped contents and debug is disaled for script handler
- CQ WCM edit filter is enabled to author but disabled on publisher
- HTML Library manager is enabled for minify and gzip. Disabled for debug and timing
- Get servlet is set to support secure configurations
Enable HTTPS
Install security hotfixes
Change default passwords for admin and osgi console admin accounts. To change osgi password go to OSGI management console in configMgr.
Implement custom error handler
Configure replication and transport users
Check the operations and security health check dashboard
No example contents should be there
CRX development bundles should be disabled
- Adobe crx support
- Adobe granite crx explorer
- Adobe granite crxde lite
Sling development bundle should be disabled
Configure Referrer filter services using Sling Refeffer filter. Provide allowed hosts. This protects from cross site reference attack.
Control selectors so that only the required selectors get results and other return 404.
Prevent output of unlimited number of content nodes.
Set the depth of json rendering
Use firewall to limit the access to your instance
Disable advance search requires in WCM form chooser servlet
AssetDownloadServlet is disabled by default to prevent dos attack caused by asset downloads
Prevent click jack by providing header - X-FRAME-OPTIONS set to SAMEORIGIN
The XSS protection mechanism provided by AEM is based on the AntiSamy Java Library provided by OWASP (The Open Web Application Security Project) . The default AntiSamy configuration can be found at
/libs/cq/xssprotection/config.xml
No comments:
Post a Comment