Content‑Security‑Policy header missing on AEM Author login endpoints
The AEM as a Cloud Service Author login endpoints do not include a Content-Security-Policy (CSP) header, which security scans often flag as an issue. This article explains why the CSP header is missing and describes the recommended actions to address the finding according to current product behavior.
Description description
Environment
- Product: Adobe Experience Manager as a Cloud Service (AEMaaCS) – Assets
- Constraints: Applies to Author environment, specifically login UI endpoints
Issue/Symptoms
- Security scans detect that the CSP HTTP header is absent on Author login URLs.
- Findings appear on URLs such as
/libs/granite/core/content/login.html. - Scans target administrative or internal pages rather than public-facing application pages.
Resolution resolution
Note: There is no product switch or configuration that enables CSP headers for the AEM as a Cloud Service Author login UI. Treat the missing CSP header on these endpoints as informational unless your governance standards require stricter action.
- Understand that no supported method enables CSP for the out‑of‑the‑box AEM Author login UI in AEM as a Cloud Service.
- Recognize that CSP acts as a defense‑in‑depth measure, and its absence on these endpoints does not represent a product vulnerability.
- Review your organization’s governance and security requirements for internal administrative URLs.
- If your governance allows it, exclude internal Author or admin URLs from external scoring scans. Alternatively, accept the finding as low risk because authentication, network controls, and other XSS mitigations protect these endpoints.
- Verify with your security team that excluding the URLs or accepting the risk aligns with your policy.
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f