For part 4 of this series we will discuss Adobe CQ Security Configurations. This group of configurations will help us ensure proper access to our repository (CRX). Demo users need to be removed, bulk access to the repository needs to be denied, developer’s console should be disabled and proper measures to protect against some other types of attacks need to be in place.
- remove Geometrixx users: besides removing Geometrixx Demo Websites you also need to remove default users for Geometrixx. For security purposes you might want to maintain only users that are specific for your application and those for administrative users.
- add clickjacking headers: To prevent clickjacking (when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page) we recommend that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.
- disable WebDAV access: CRX and CQ come with WebDAV support that lets you display and edit the repository content. Setting up WebDAV gives you direct access to the content repository through your desktop. WebDAV should be disabled on the publish environment.
- disable CRXDE Light access: CRXDE Support should be disabled on a productive system before making it publicly accessible.
- disable Debug Mode: This is useful when developing as it allows the use of suffixes, but should be disabled on a production instance to ensure performance and security.
- protect against Cross-Site Scripting (XSS): Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. CQ applies the principle of filtering all user-supplied content upon output. Additionally, a web application firewall can be configured to add protection.
- prevent Denial of Service attacks (DoS): Limit the size of JSON representations responses, do not use number sizing for images.
The final set of configurations are for “optimizing” performance. Notice that not all “optimizing configurations” can be performed right after installing CQ; you will need to first gather some information on how your CQ instance is performing and then find specific measures to improve it.