Applying Subresource Integrity and restricting direct access to Adobe RUM scripts

Last update: Mon Apr 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

The Adobe Real User Monitoring (RUM) script in AEM as a Cloud Service exposes internal environment details and remains directly accessible from the publisher domain even after enabling an external domain configuration. This creates security and access-control concerns and raises questions about applying Subresource Integrity (SRI) without affecting RUM functionality. To fix this, serve the RUM script from an external domain, update Content Security Policy settings, optionally apply SRI, and block direct access to the script on the publisher domain while keeping telemetry collection intact.

Description description

Environment

Product: Adobe Experience Manager as a Cloud Service – Sites
Constraints: Managed Services, Production environment

Issue/Symptoms

The Adobe RUM script is injected into published pages with a data-routing attribute that exposes internal environment details.
After enabling External Domain configuration, the script loads from an external origin but remains directly accessible through the publisher domain.
There is a requirement to apply SRI for additional security and to block direct access to the script from the publisher domain.
There are concerns about information exposure and whether these changes affect RUM functionality.

Resolution resolution

Follow these steps to resolve the issue:

Enable the External Domain configuration so the Adobe RUM script loads from an external origin instead of the publisher domain.
Update the Content Security Policy (CSP) header to allow script loading from the external domain used by RUM.
Apply Subresource Integrity (SRI) attributes to the externally loaded RUM script if additional integrity validation is required.
Configure CDN traffic filter rules to deny direct requests to the RUM script path on the publisher domain, such as /.rum/*.
Verify that the RUM script loads successfully from the external domain, direct access to the script on the publisher domain is blocked, and site functionality and data collection continue without interruption.

Notes

Subresource Integrity (SRI) provides limited value when scripts are served from the same origin. It’s most effective for validating scripts loaded from external origins.
Blocking direct access to the RUM script at the CDN or dispatcher level doesn’t affect RUM functionality when the script loads exclusively from an allowed external domain.
Program ID and environment ID values exposed in data-routing attributes don’t create a security risk because these identifiers don’t grant access to AEM environments or data.

recommendation-more-help