Documentation for CQ 5.1 WCM
Prev  Next
Homepage > CQ5 WCM System Administrator Guide > Security Checklist

Security Checklist

Security Checklist for System Administrators

Contents

Disable WebDAV
Restrict Access via the Dispatcher
Check for Cross-Site Scripting (XSS)

Disable WebDAV

WebDAV should be disabled on the publish environment.

See the CRX documentation for further details.

Restrict Access via the Dispatcher

By configuring the Dispatcher you should restrict access so that only the following are available to external visitors:

  • /content - Site content

  • /etc - Miscellaneous content such as designs

The following should be entered in the configuration file dispatcher.any:

# only handle the requests in the following acl. default is 'none'
# the glob pattern is matched against the first request line
/filter
  {
  /0001
    {
    /glob "*"
    /type "deny"
    }
  /0002
    {
    /glob "* /content[./]"
    /type "allow"
    }
  /0003
    {
    /glob "* /etc[./]"
    /type "allow"
}
[Note]Note

This configuration includes the following restrictions:

  1. Restricts access to the Servlet Engine Administration /admin

  2. Restricts access to the Sling Console /system

  3. Restricts access to CRX /crx

  4. Restricts access to the following application specific folders:

    • /apps – Application data

    • /libs – CQ5 Library

    • /var – var folder

    • /etc – Miscellaneous folder

    • /home – User’s home folder

  5. Restricts access to /tmp

  6. Denies POST requests in case forms are not used.

Check for Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. This security vulnerability can be exploited by malicious web users to bypass access controls.

[Warning]Warning

CQ5 example code is not protected against such attacks.

Prev   Next
Installing and Configuring Additional Tools/Modules Home Copyright, Licenses and Formatting Conventions
Copyright 1993-2009 Day Management AG | CQ 5.1 WCM