Adobe Experience Manager(AEM): HTTP Security Headers for Websites

Albin Issac
Oct 25, 2020 · 4 min read

In this tutorial, let us discuss the different HTTP security headers and how to enable those headers for the AEM platform.

Headers are part of the HTTP specification, defining the metadata of the message in both the HTTP request and response.

Security headers are HTTP response headers that define whether a set of security precautions should be activated or deactivated on the web browser.

Let us see some of the most important security headers and how to enable those in the AEM platform.

Image for post
Image for post

Strict-Transport-Security

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

max-age=<expire-time> — The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubDomains — If this parameter is specified, this rule applies to all of the site’s subdomains as well.

preload — this parameter indicates that the site is present on a global list of HTTPS-only sites

This would inform the visiting web browser that the current site (including subdomains) is HTTPS-only and the browser should access it over HTTPS for the next 2 years(63072000 seconds).

Before implementing this header, you must ensure all your website pages (including sub-domain pages) are accessible over HTTPS else they will be blocked by the browser.

The header should be enabled from the webserver(Dispatcher), to enable the header in Apache, use mod_header module and set the header as below in the virtual host file

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;preload"

X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

DENY — The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

The header should be enabled from the webserver(Dispatcher), to enable the header in Apache, use mod_header module and set the header as below in the virtual host file

Header always append X-Frame-Options SAMEORIGIN

The Content-Security-Policy(CSP) HTTP header has a frame-ancestors directive which overrides X-Frame-Options in modern browsers.

Refer to the below video for more details on X-Frame-Options and CSP frame-ancestors.

Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

The header should be enabled from the webserver(Dispatcher), to enable the header in Apache, use mod_header module and set the header as below in the virtual host file

Header always set Content-Security-Policy "default-src 'self';script-src 'self' https://sub.mydomain.com; img-src 'self' https://www.example.com;frame-ancestors 'self' http://mydomain.com:8000"

The above header enables the browser to

load the scripts(script-src) only from the same domain and https://sub.mydomain.com

load the images(img-src) from the same domain and https://www.example.com

allows only the webpages from the current domain to iframe this page

Refer to the below URL for more details on CSP

X-Content-Type-Options

The X-Content-Type-Options headers instruct browsers to set the content type as instructed(ensure you’ve set the content types correctly) and never detect the type of their own.

The header should be enabled from the webserver(Dispatcher), to enable the header in Apache, use mod_header module and set the header as below in the virtual host file

Header always set X-Content-Type-Options nosniff

Feature-Policy

The header should be enabled from the webserver(Dispatcher), to enable the header in Apache, use mod_header module and set the header as below in the virtual host file

Disable the geolocation and camera API’s for all the contexts

Header always set Feature-Policy "geolocation 'none'; camera 'none'"

Enable the geolocation and camera API’s only for the pages from the current domain and the pages from myexample1.com

Header always set Feature-Policy "geolocation 'self' https://myexample1.com; camera 'self' https://myexample1.com"

Refer to the below URL for more details on Feature-Policy

These are some of the critical HTTP security headers that can be enabled to protect the AEM platform from security attacks.

Feel Free to provide your comments.

The Startup

Medium's largest active publication, followed by +754K people. Follow to join our community.

Albin Issac

Written by

Working as a Software Architect on Marketing Technologies. Reach out to me on Linkedin: https://www.linkedin.com/in/albin-issac-56917523/

The Startup

Medium's largest active publication, followed by +754K people. Follow to join our community.

Albin Issac

Written by

Working as a Software Architect on Marketing Technologies. Reach out to me on Linkedin: https://www.linkedin.com/in/albin-issac-56917523/

The Startup

Medium's largest active publication, followed by +754K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store