Apache Sling > Sling CMS > Administration > Securing Sling CMS

Securing Sling CMS

Sling CMS by default is pretty open, so you will want to secure the application with the following steps:

  1. Configure the Apache Sling CMS Security Filter - The Apache Sling CMS Security Filter allows for limiting access to non-published content and content directly through the CMS domain. To configure the Apache Sling CMS Security Filter:

    • Open the OSGi console to http://localhost:8080/system/console/configMgr
    • Select the plus indicator by Apache Sling CMS Security Filter
    • Configure the Host Domain, Allowed Patterns and, optionally, the Group required to access the CMS Configure Security Filter

  2. Configure the Referrer Filter - this filters which referrers are allowed send modification requests to the CMS instance. To configure the Referrer Filter:

  3. Configure Apache for Security - Add configurations like the ones below to make Apache HTTPD secure:

    # Security Protection
Header set Content-Security-Policy	default-src https: data: 'unsafe-inline'; frame-ancestors https:
Header set Feature-Policy * 'none'
Header set Referrer-Policy	strict-origin
Header set Strict-Transport-Security	max-age=15552000; includeSubDomains; preload
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"

# Harden Apache
ServerSignature Off
ServerTokens Prod
TraceEnable off

    Note, you should expect to tweak these based on your environment. The website securityheaders.com is a good resource for learning about the best practices in security header configurations.

  4. Ensure sites only allow specific paths - in Configure Site, you need to configure the individual site's Virtual Host in Apache. Ensure that only the required paths are proxied. This should never include paths under /etc, /system, /bin, /home or /var