You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by dk...@apache.org on 2021/07/12 15:54:36 UTC
[sling-org-apache-sling-app-cms] branch master updated: SLING-10588
- updating docs and removing unneeded import
This is an automated email from the ASF dual-hosted git repository.
dklco pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-app-cms.git
The following commit(s) were added to refs/heads/master by this push:
new 1129ea4 SLING-10588 - updating docs and removing unneeded import
1129ea4 is described below
commit 1129ea45635928e67f8d1c856a6e3a036da91edb
Author: Dan Klco <kl...@adobe.com>
AuthorDate: Mon Jul 12 09:12:24 2021 -0400
SLING-10588 - updating docs and removing unneeded import
---
.../sling/cms/core/internal/filters/CMSSecurityFilter.java | 1 -
docs/securing.md | 14 ++++++++++----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
index 8aab1d0..cf77932 100644
--- a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
+++ b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
@@ -43,7 +43,6 @@ import org.apache.sling.cms.CMSUtils;
import org.apache.sling.cms.PublishableResource;
import org.apache.sling.cms.publication.PUBLICATION_MODE;
import org.apache.sling.cms.publication.PublicationManagerFactory;
-import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
diff --git a/docs/securing.md b/docs/securing.md
index a175521..1d482cf 100644
--- a/docs/securing.md
+++ b/docs/securing.md
@@ -20,20 +20,26 @@ Sling CMS by default is pretty open, so you will want to secure the application
- Configure the Host Domain, Allowed Patterns and, optionally, the Group required to access the CMS
![Configure Security Filter](img/configure-security-filter.png)
2. Configure the Referrer Filter - this filters which referrers are allowed send modification requests to the CMS instance. To configure the Referrer Filter:
- - Open the OSGi console at [http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
- - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names allowed
+ - Open the OSGi console at [http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
+ - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names allowed
![Configure Referrer Filter](img/configure-referrer-filter.png)
- 2. Configure Apache for Security - Add configurations to make Apache HTTPD secure:
+ 2. Configure Apache for Security - Add configurations like the ones below to make Apache HTTPD secure:
# Security Protection
+ Header set Content-Security-Policy default-src https: data: 'unsafe-inline'; frame-ancestors https:
+ Header set Feature-Policy * 'none'
+ Header set Referrer-Policy strict-origin
+ Header set Strict-Transport-Security max-age=15552000; includeSubDomains; preload
+ Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
- Header set X-Content-Type-Options "nosniff"
# Harden Apache
ServerSignature Off
ServerTokens Prod
TraceEnable off
+
+ Note, you should expect to tweak these based on your environment. The website [securityheaders.com](https://securityheaders.com/) is a good resource for learning about the best practices in security header configurations.
3. Ensure sites only allow specific paths - in [Configure Site](configure-site.md), you need to configure the individual site's Virtual Host in Apache. Ensure that only the required paths are proxied. This should never include paths under /etc, /system, /bin, /home or /var