Apache Sling > Sling CMS > Administration > Securing Sling CMS
Sling CMS by default is pretty open, so you will want to secure the application with the following steps:
Configure Apache for Security - Add configurations to make Apache HTTPD secure:
# Security Protection Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" # Harden Apache ServerSignature Off ServerTokens Prod TraceEnable off
Ensure sites only allow specific paths - in Configure Site, you need to configure the individual site's Virtual Host in Apache. Ensure that only the required paths are proxied. This should never include paths under /etc, /system, /bin, /home or /var