Content Security Policy (CSP) is a powerful security measure that mitigates XSS (Cross-Site Scripting) vulnerabilities. In AEM, securing scripts with CSP nonces on the Dispatcher cache adds an extra layer of protection. This blog post will guide you through configuring AEM Dispatcher to achieve this.

Prerequisites: Link to heading

  • Enabled mod_unique_id and mod_headers modules in your Apache configuration.

Configuration Steps: Link to heading

  1. Apache SSI Configuration (Before Dispatcher Configuration):

    • Locate your httpd.conf file or the relevant Apache configuration file for your environment.

    • Add the following lines to enable SSI processing:

      Options +Includes
      AddType text/html .html
      AddOutputFilter INCLUDES .html

    These lines achieve the following:

    • Options +Includes: Enables SSI processing within the specified directory (ensure this is set for the directory containing your AEM Dispatcher document root).
    • AddType text/html .html: Defines that files with the .html extension should be treated as HTML content.
    • AddOutputFilter INCLUDES .html: Instructs Apache to apply the SSI processing filter to all .html files.
  2. Dispatcher vHost Configuration:

    • Within your Dispatcher’s virtual host configuration file, locate the section for the desired AEM server.

    • Add the following line to set the Content-Security-Policy header for script sources:

      Header always set Content-Security-Policy: script-src 'nonce-%{UNIQUE_ID}e'

    This leverages the mod_unique_id module to generate a unique identifier (UNIQUE_ID) for each request. The e at the end is to idenfity the variable as an environment variable.

    Existing CSP Header:

    If your AEM already sets a Content-Security-Policy header, you can append the script-src directive instead of overwriting the entire policy:

    <IfModule mod_headers.c>
      Header edit "Content-Security-Policy" ^(.*)$ "$1; script-src 'nonce-%{UNIQUE_ID}e'"
  3. AEM Script Block Modification:

    There are two approaches to add the nonce attribute with the unique ID to all script blocks in AEM:

    A. Using Apache Server Side Includes (SSI):

    • Within your AEM script component or template, modify the opening <script> tag to include the following SSI directive:

      <script nonce='<!--#echo var="UNIQUE_ID" -->'>

    This leverages SSI to dynamically insert the unique ID generated by the Dispatcher into the nonce attribute. Be noted, that the most important part from AEM side is to set the nonce to be processed as SSI from Dispatcher.

    B. Using AEM Transformer:

    • Alternatively, you can develop a custom AEM Transformer that processes all script tags and adds the nonce='<!--#echo var="UNIQUE_ID" -->' attribute so that the implementation remains in one place and none of your scripts break.

Benefits: Link to heading

  • This configuration ensures that only scripts with valid nonces, generated by the Dispatcher for each request, are allowed to execute.
  • By applying this only to Dispatcher cached content, you avoid impacting the performance of author instances.

Important Notes: Link to heading

  • Remember to restart your Apache httpd service after making configuration changes.
  • Thoroughly test your AEM application after implementing this setup to ensure no script functionality breaks due to missing nonces.

Conclusion: Link to heading

By adding CSP nonces to script tags on the Dispatcher cache, you significantly enhance the security posture of your AEM application. This approach leverages existing Apache modules and AEM features to achieve a robust security measure.