Documentation

Requests to CSRF token and custom servlet endpoints return 404 error in AEMaaCS

Last update: Wed Feb 11 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

Requests to the CSRF token and custom servlet endpoints fail with 404 errors on Adobe Experience Manager as a Cloud Service (AEMaaCS) publish instances when CDN edge authentication blocks these paths at the edge. To resolve the issue, configure CDN rules to bypass authentication for these endpoints.

Description description

Environment

  • Product: Adobe Experience Manager as a Cloud Service (AEMaaCS)
  • Scenario: Publish environment requests to system endpoints through the CDN

Issue/Symptoms

  • Requests to /libs/granite/csrf/token.json return 404 errors on the Publish environment.
  • Custom servlet endpoints, such as those under /bin, also return 404 errors only on Publish.
  • The same requests succeed in local environments and on Author instances without errors.
  • Dispatcher filters are correctly configured to allow these endpoints, indicating that the issue occurs before the request reaches the dispatcher or publish tier.

Resolution resolution

Follow these steps to resolve the issue:

  1. Review the CDN configuration and identify any edge authentication rules that apply to system endpoints, including /libs/granite/csrf/token.json and custom servlet paths under /bin.
  2. Update the CDN rules for the affected environment so that edge authentication does not apply to these endpoints, and explicitly configure bypasses for the CSRF token path and required servlet routes.
  3. Deploy the updated CDN configuration through your Cloud Manager delivery pipeline, following your standard validation and approval process, and ensure the changes are successfully applied to the target environment.
  4. Test access to /libs/granite/csrf/token.json and affected custom servlet endpoints from an external client through the full delivery chain.
  5. Verify that the endpoints now return HTTP 200 responses and expected payloads instead of 404 errors.

Note: No AEM permission changes are typically needed if you resolve the issue by adjusting CDN rules. Always validate with your security and governance policies before changing access controls.

  • CDN in the AEM as a Cloud Service User Guide
  • CSRF protection in the AEM as a Cloud Service Tutorials
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f