AEM (Adobe Experience Manager) provides a framework aimed at preventing Cross-Site Request Forgery attacks. To make proper use of this framework, make the following changes to your Dispatcher configuration:
To validate that the configuration is working, watch the dispatcher.log in DEBUG mode. It can help you to validate that the token.json
file to ensure that it is not getting cached or blocked by filters. You should see messages similar to:
... checking [/libs/granite/csrf/token.json]
... request URL not in cache rules: /libs/granite/csrf/token.json
... cache-action for [/libs/granite/csrf/token.json]: NONE
You can also validate that requests are succeeding in your Apache access_log
. Requests for ``/libs/granite/csrf/token.json should return an HTTP 200 status code.