Configuring Adobe Experience Manager Dispatcher to Prevent CSRF Attacks

Last update: May 28, 2024

CREATED FOR:

  • Admin

AEM (Adobe Experience Manager) provides a framework aimed at preventing Cross-Site Request Forgery attacks. To make proper use of this framework, make the following changes to your Dispatcher configuration:

NOTE
Be sure to update the rule numbers in the examples below based on your existing configuration. Remember that Dispatchers use the last matching rule to grant an allow or deny, so place the rules near the bottom of your existing list.

  1. In the /clientheaders section of your author-farm.any and publish-farm.any, add the following entry to the bottom of the list:
    CSRF-Token

  2. In the /filters section of your author-farm.any and publish-farm.any or publish-filters.any file, add the following line to allow requests for /libs/granite/csrf/token.json through the Dispatcher.
    /0999 { /type "allow" /glob " * /libs/granite/csrf/token.json*" }

  3. Under the /cache /rules section of your publish-farm.any, add a rule to block the Dispatcher from caching the token.json file. Typically authors bypass caching, so you should not need to add the rule into your author-farm.any.

    /0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

To validate that the configuration is working, watch the dispatcher.log in DEBUG mode. It can help you to validate that the token.json file to ensure that it is not getting cached or blocked by filters. You should see messages similar to:
... checking [/libs/granite/csrf/token.json]
... request URL not in cache rules: /libs/granite/csrf/token.json
... cache-action for [/libs/granite/csrf/token.json]: NONE

You can also validate that requests are succeeding in your Apache access_log. Requests for ``/libs/granite/csrf/token.json should return an HTTP 200 status code.

Experience Manager