Application Security starts during the development phase. Adobe recommends to apply the following security best practices.

Use Request Session

Following the principle of least privilege, Adobe recommends that every repository access is done by using the session bound to the user request and proper access control.

Protect against Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. This security vulnerability can be exploited by malicious web users to bypass access controls.

AEM applies the principle of filtering all user-supplied content upon output. Preventing XSS is given the highest priority during both development and testing.

The XSS protection mechanism provided by AEM is based on the AntiSamy Java Library provided by OWASP (The Open Web Application Security Project). The default AntiSamy configuration can be found at


It is important that you adapt this configuration to your own security needs by overlaying the configuration file. The official AntiSamy documentation will provide you with all the information you need in order to implement your security requirements.


We strongly recommend you always access to the XSS protection API by using the XSSAPI provided by AEM.

Additionally, a web application firewall, such as mod_security for Apache, can provide reliable, central control over the security of the deployment environment and protect against previously undetected cross-site scripting attacks.

Access to Cloud Service Information


ACLs for the Cloud Service Information as well as the OSGi settings required to secure your instance are automated as part of the Production Ready Mode. While this means that you do not need to make the configuration changes manually, it is still recommended that you review them before you go live with your deployment.

When you integrate your AEM instance with the Adobe Marketing Cloud you use Cloud Service configurations. Information about these configurations, together with any statistics collected are stored in the repository. We recommend that, if you are using this functionality, you review whether the default security on this information matches your requirements.

The webservicesupport module writes statistics and configuration information under:


With the default permissions:

  • Author environment: read for contributors

  • Publish environment: read for everyone

Protect against Cross-Site Request Forgery Attacks

For more information on the security mechanisms AEM employs to mitigate CSRF attacks, see the Sling Referrer Filter section of the Security Checklist and the CSRF Protection Framework documentation.

On this page