AEM RUM script security and performance issues with WAF and CDN
Adobe Experience Manager (AEM) injects the Real User Monitoring (RUM) script on publish pages, which triggers security and performance issues such as WAF blocks, excessive telemetry requests, and proxy restrictions. These issues occur due to high request volume, relative script paths, or strict security configurations. To resolve the issue, allow endpoints, adjust proxy rules, and validate findings.
Description description
Environment
Adobe Experience Manager as a Cloud Service (AEMaaCS)
Issue/Symptom
- The WAF or CDN blocks repeated POST requests to
/.rum/100and shows errors such as 403 Access Denied. - The environment shows repeated POST requests to
/.rum/100, which causes excessive network activity or rate-limit lockouts. - Security scans flag unfamiliar script paths such as
/.rum/@adobe/helix-rum-js@2/dist/rum-standalone.js. - The reverse proxy blocks relative RUM paths such as
/.rum/..., which prevents the RUM script from loading. - The CDN adds unexpected query strings, which triggers repeated RUM retries and WAF blocks.
Root cause
The issue occurs when the AEM RUM script, which AEM as a Cloud Service injects by default for operational telemetry, sends frequent requests to relative endpoints such as /.rum/100. Strict CDN, WAF, or proxy configurations treat the request pattern, relative path, or modified requests as suspicious activity, which results in blocked traffic, repeated retries, or security findings.
Resolution resolution
Follow these steps to identify the RUM issue type and apply the appropriate fix:
- Identify the issue type by comparing the observed behavior with scenarios such as reverse-proxy blocking, excessive telemetry requests, security scanner findings, or requests to disable RUM.
- Resolve reverse-proxy blocking by allowing rum.hlx.page in the CDN, WAF, or proxy configuration and in the CSP so the script loads from a fully qualified domain instead of a relative path.
- Resolve WAF blocking by allowing the telemetry endpoint
/.rum/100and confirming that legitimate telemetry traffic is no longer blocked. - Address security scan findings by reviewing the flagged RUM paths and confirming that Adobe injects the script and that the path is safe.
- Disable or restrict RUM by opening a support request if you need the RUM script disabled, because you cannot disable it through code.
- Clear the CDN cache after any RUM configuration change to remove stale RUM scripts and apply the updated behavior.
- Validate RUM reporting by confirming that pages load correctly, that the script uses the intended domain or remains disabled, and that errors no longer appear in WAF or CDN logs.
When to escalate:
- The issue continues after allowing the endpoints and updating the proxy, CDN, or WAF configuration.
- The telemetry requests still trigger repeated blocks or high request spikes.
- The RUM script continues to load or behave incorrectly after the configuration change.
- Disabling the RUM script requires Adobe Support intervention.