Content Security Policy (CSP) is a powerful security measure that mitigates XSS (Cross-Site Scripting) vulnerabilities. In AEM, securing scripts with CSP nonces on the Dispatcher cache adds an extra layer of protection. This blog post will guide you through configuring AEM Dispatcher to achieve this.
Prerequisites: Link to heading
- Enabled
mod_unique_id
andmod_headers
modules in your Apache configuration.
Configuration Steps: Link to heading
-
Apache SSI Configuration (Before Dispatcher Configuration):
-
Locate your httpd.conf file or the relevant Apache configuration file for your environment.
-
Add the following lines to enable SSI processing:
Options +Includes AddType text/html .html AddOutputFilter INCLUDES .html
These lines achieve the following:
Options +Includes
: Enables SSI processing within the specified directory (ensure this is set for the directory containing your AEM Dispatcher document root).AddType text/html .html
: Defines that files with the.html
extension should be treated as HTML content.AddOutputFilter INCLUDES .html
: Instructs Apache to apply the SSI processing filter to all.html
files.
-
-
Dispatcher vHost Configuration:
-
Within your Dispatcher’s virtual host configuration file, locate the section for the desired AEM server.
-
Add the following line to set the
Content-Security-Policy
header for script sources:Header always set Content-Security-Policy: script-src 'nonce-%{UNIQUE_ID}e'
This leverages the
mod_unique_id
module to generate a unique identifier (UNIQUE_ID
) for each request. Thee
at the end is to idenfity the variable as an environment variable.Existing CSP Header:
If your AEM already sets a
Content-Security-Policy
header, you can append thescript-src
directive instead of overwriting the entire policy:<IfModule mod_headers.c> Header edit "Content-Security-Policy" ^(.*)$ "$1; script-src 'nonce-%{UNIQUE_ID}e'" </IfModule>
-
-
AEM Script Block Modification:
There are two approaches to add the
nonce
attribute with the unique ID to all script blocks in AEM:A. Using Apache Server Side Includes (SSI):
-
Within your AEM script component or template, modify the opening
<script>
tag to include the following SSI directive:<script nonce='<!--#echo var="UNIQUE_ID" -->'>
This leverages SSI to dynamically insert the unique ID generated by the Dispatcher into the
nonce
attribute. Be noted, that the most important part from AEM side is to set the nonce to be processed as SSI from Dispatcher.B. Using AEM Transformer:
- Alternatively, you can develop a custom AEM Transformer that processes all script tags and adds the
nonce='<!--#echo var="UNIQUE_ID" -->'
attribute so that the implementation remains in one place and none of your scripts break.
-
Benefits: Link to heading
- This configuration ensures that only scripts with valid nonces, generated by the Dispatcher for each request, are allowed to execute.
- By applying this only to Dispatcher cached content, you avoid impacting the performance of author instances.
Important Notes: Link to heading
- Remember to restart your Apache httpd service after making configuration changes.
- Thoroughly test your AEM application after implementing this setup to ensure no script functionality breaks due to missing nonces.
Conclusion: Link to heading
By adding CSP nonces to script tags on the Dispatcher cache, you significantly enhance the security posture of your AEM application. This approach leverages existing Apache modules and AEM features to achieve a robust security measure.