How to secure AEM sling servlet

@srikanthpo3 Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

To secure your AEM Sling servlet from fraudulent attempts (e.g., direct access via API clients like Postman), you can implement the following measures:

1. Enable CSRF Protection: Use AEM's built-in CSRF protection to prevent unauthorized requests.

2. Validate Referrer & Origin Headers: Ensure that requests to the servlet only come from trusted sources (your website).

3. Restrict Access to Logged-in Users: Limit access to the servlet by requiring the user to be logged in (if appropriate).

4. Use CAPTCHA for Bot Prevention: Implement CAPTCHA validation, ideally both on the client and server side, to prevent automated submissions.

5. Implement Rate Limiting: Use rate limiting at the Dispatcher level or via CDN to limit excessive requests.

6. Whitelist Allowed Domains or IPs: Restrict access by whitelisting trusted domains or IPs to prevent external API clients from making requests.

7. Use JWT/OAuth Authentication: Secure your API with JWT or OAuth to ensure that only authorized users or services can invoke the servlet.

By combining these methods, especially CSRF protection, CAPTCHA, and referrer validation, you can greatly reduce the risk of fraudulent access.

Hi @srikanthpo3,

You can rely on following - 

• Use captcha
• Servlet API - Rate limit at CDN

Hi @srikanthpo3 ,

We can block fraudulent attempts from API clients like Postman.

• Enable CSRF Protection
• Validate Referrer & Origin Headers
• Restrict Servlet Access to Logged-in Users
• Use CAPTCHA for Bot Prevention
• Implement Rate Limiting via Dispatcher
• Whitelist Allowed Domains
• Use JWT/OAuth Authentication for Secure Requests

You can combine CSRF protection, referrer validation, and CAPTCHA for immediate secuirty.

Regards,

@srikanthpo3 

If the servlet is registered with a resource type and is publicly accessible, any user with knowledge of the endpoint can make requests to it, regardless of the client used (e.g., jQuery AJAX, Postman, etc.)

There are multiple ways you can secure your form submits.

I would say one of the best one would be add recaptcha validation both at client slide and at the server side.

Hi @srikanthpo3 

So you have a servlet that you exposed for someone or something to invoke. Which means for a specific scenario and actor (human or software), you want the requests to go through.

Now, if they do get through from Postman, it means that whoever made the request has the authorization credentials, and was able to add them in Postman. Otherwise it would have give them 401 in Postman. Maybe it was for development, and the harm was intended, but you can't risk it. I would suggest to identify the credentials used, either user or token, change them, and inform the trusted actors of the new credentials to be used.

Another thing you could do, is to check in your servlet the request User-Agent header, and not permit PostmanRuntime/7.43.0 (or other version). But this is not a long term solution. Imagine requests can be made from anywhere: cUrls, browsers etc.

Another option would be to add some filtering rules upper in the infrastructure, to permit only known IPs:
- For AEMaaCS we have this documentation page: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/using-cloud-manager/ip-allow-lists/introduction
- Or you can do it at Dispatcher level: https://blogs.perficient.com/2022/02/15/ip-whitelisting-through-aem-dispatcher-in-5-easy-steps/ , for on-prem setup.

- Or if you have custom cloud, your DevOps specialist could guide you