These are listed below, together with an explanation of how CRX deals with them.
XSS is a top priority during both testing and development, and any issues found are (typically) resolved immediately.
All access to data objects is mediated by the repository and therefore restricted by role based access control.
Cross-Site Request Forgery (CSRF) is mitigated by automatically injecting a cryptographic token into all forms and AJAX requests and verifying this token on the server for every POST.
In addition, AEM ships with a referrer-header based filter, which can be configured to only allow POST requests from specific hosts (defined in a list).
It is impossible to guarantee that all software is always correctly configured. However, we strive to provide as much guidance as possible and make configuration as simple as possible. Furthermore, AEM ships with integrated Security Healthchecks that help you monitor security configuration at a glance.
Please review the Security Checklist for more information which provides you with step by step hardening instructions.
Passwords are stored as cryptographic hashes in the user node; by default such nodes are only readable by the administrator and the user himself.
Sensitive data such as third-party credentials are stored in encrypted form using a FIPS 140-2 certified cryptographic library.
The repository allows the setting of finely-grained privileges (as specified by JCR) for any given user or group at any given path, through access control entries. Access restrictions are enforced by the repository.
Mitigated by server configuration (e.g. use HTTPS only).
Mitigated by restricting all redirects to user-supplied destinations to internal locations.