Security headers missing and HTTPS not enforced on Dynamic Media custom domains in Adobe Experience Manager
Security assessments flag AEM Dynamic Media custom domains for missing security headers and for allowing HTTP access. This article describes how these headers are implemented and how HTTP traffic is redirected to HTTPS to secure Dynamic Media endpoints.
Beskrivning description
Miljö
- Product: Adobe Experience Manager Dynamic Media/Scene7
- Instance: Production
Problem/symtom
The following issues occur on Dynamic Media custom domains:
- The
Content-Security-Policyheader is missing from HTTP responses. - The
X-Content-Type-Optionsheader is missing. - The
HTTP Strict Transport Security (HSTS)header is not enabled or configured. - HTTP requests are not redirected to HTTPS, allowing insecure access.
Upplösning resolution
Följ de här stegen för att åtgärda problemet:
-
Review the current response headers for your Dynamic Media custom domains by sending a request to an image URL over HTTP and HTTPS.
-
Confirm that the following headers are present in the response:
Content-Security-PolicyX-Content-Type-OptionsStrict-Transport-Security (HSTS)
-
Ensure that any HTTP request receives a 301 redirect to the equivalent HTTPS URL.
-
If any headers are missing or HTTP requests are not redirected, contact Adobe Support with your Dynamic Media account name and the affected domain details.
-
After Adobe Engineering updates the configuration, repeat step 1 to verify that all required security headers are present and all traffic is enforced over HTTPS.
Obs! Implementeringen av dessa säkerhetskontroller kräver samordning med Adobe support- och konstruktionsgrupper. Anpassade domänkonfigurationer varierar beroende på kontoinställningarna.