AEM Dispatcher Filter Section

/filter section define as part of dispatcher.any file within dispatcher modules allow us to allow or deny incoming request. It will go to 404 (page not defined) if filter for particular request is not allowed or accepted.

Below is just an example, where we are denying every request and allowing only /bin/user.json URL as POST request.

It is a best practice to deny everything at first place and allow request URL’s one by one.

/filter {
    /0001  { /glob "*" /type "deny" }
    /0002 { /type "allow" /method "POST" /url "/bin/user.json" }
}

Sample dispatcher.any File

Below is the sample dispatcher.any file:

## deny everything and allow specific entries
## Start with everything blocked as a safeguard and open things customers need and what's safe OOTB
/0001 { /type "deny"  /url "*" }

## Open consoles if this isn't a production environment by uncommenting the next few lines
#/002 { /type "allow" /url "/crx/*"    }  ## allow content repository
#/003 { /type "allow" /url "/system/*" }  ## allow OSGi console

## allow non-public content directories if this isn't a production environment by uncommenting the next few lines
#/004 { /type "allow" /url "/apps/*"   }  ## allow apps access
#/005 { /type "allow" /url "/bin/*"    }  ## allow bin path access

## This rule allows content to be access
/0010 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/*" }  ## disable this rule to allow mapped content only

## Enable specific mime types clientlibs directories
/0011 { /type "allow" /method "GET" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|png|svg|swf|ttf|woff|woff2)' /path "/etc/clientlibs/*" }

## Enable clientlibs proxy servlet
/0012 { /type "allow" /method "GET" /url "/etc.clientlibs/*" }

## Enable basic features
## AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks
/0013 { /type "allow" /method "GET" /url '/libs/granite/csrf/token.json' /extension 'json' }

## allow POSTs to form selectors under content
/0014 { /type "allow" /method "POST" /url "/content/[.]*.form.html" }

## enable personalization
/0015 { /type "allow" /method "GET" /path "/libs/cq/personalization" }

## allow POSTs to update the shopping cart
/0016 { /type "allow" /method "POST" /path "/content/[.]*.commerce.cart.json" }

## Deny content grabbing for greedy queries and prevent un-intended self DOS attacks
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

## Deny authoring query params
/0018 { /type "deny" /method "GET" /query "debug=*" }
/0019 { /type "deny" /method "GET" /query "wcmmode=*" }

#### Deny front door entry
/0020 { /type "deny" /path "/content/ams/healthcheck/*"}
/0021 { /type "deny" /url "/content/regent.html"}

## Enable specific mime types clientlibs directories
/0022 { /type "allow" /extension '(gltf|stl|obj|usdz|glb)' /method "GET" /path "/content/dam/*" }

## Deny dot dot semicolon attack
/0023 { /type "deny" /url '.*/[.][.];/.*' }

## AMSSEC033 Deny AEM password hash retrieval (AMSAUTO-15449)
/0024 { /type "deny" /suffix '(.*infinity.*|.*children.*|.*tidy.*)' }

Defining a Filter

Each item in the /filter section includes a type and a pattern that is matched with a specific element of the request line or the entire request line. Each filter can contain the following items:

Type

The /type indicates whether to allow or deny access for the requests that match the pattern. The value can be either allow or deny.

Element of the Request Line

Include /method, /url, /query, or /protocol and a pattern for filtering requests according to these specific parts of the request-line part of the HTTP request. Filtering on elements of the request line (rather than on the entire request line) is the preferred filter method.

Advanced Elements of the Request Line

Starting with Dispatcher 4.2.0, four new filter elements are available for use. These new elements are /path, /selectors, /extension, and /suffix respectively. Include one or more of these items to further control URL patterns.

glob Property

The /glob property is used to match with the entire request-line of the HTTP request.

Filtering with globs is deprecated in Dispatcher. As such, we should avoid using globs in the /filter sections since it may lead to security issues. So, instead of /glob "* *.css *" use /url "*.css"

Filters Examples:

Use below various filters to allow or deny request URL’s:

Deny All Filters

Below filter section deny or allow all requests with the help of below single line.

/0001  { /type "deny" /url "*"  }

OR

/0001  { /type "allow" /url "*"  }

Allow Specific URL

Use below filter to allow or deny specific URL

/0002  {  /type "allow" /url "/content/practice/us/en/home" }

OR

/0002  {  /type "deny" /url "/content/practice/us/en/home" }

Allow Child URL’s

Use below filter to allow or deny all child URL’s with the help of regex.

/0002  {  /type "allow" /url "/content/practice/us/en/home*" }

or 

/0002  {  /type "deny" /url "/content/practice/us/en/home*" }

Enable POST Requests

Use below filter to allow or deny specific POST request and URL.

/0002  {  /type "allow" /method "POST" /url "/bin/user.json" }

OR 

/0002  {  /type "deny" /method "POST" /url "/bin/user.json" }

Regular Expressions

Use below filter to allow or deny below extensions as part of request URL’s

/005  {  /type "allow" /extension '(css|gif|ico|js|png|swf|jpe?g)' }

OR

/005  {  /type "allow" /extension '(css|gif|ico|js|png|swf|jpe?g)' }

Additional Elements

Use below filters to have allow or deny specific URL’s having additional elements such as selectors, extensions, etc.

/006 {
    /type "allow"
    /path "/content/*"
    /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|jcr:content|_jcr_content|search|childrenlist|ext|assets|assetsearch|[0-9-]+)'
    /extension '(json|xml|html|feed))'
}

OR

/006 {
    /type "deny"
    /path "/content/*"
    /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|jcr:content|_jcr_content|search|childrenlist|ext|assets|assetsearch|[0-9-]+)'
    /extension '(json|xml|html|feed))'
}

Allow or Deny Selectors and Extensions

Use below condition to allow or deny selectors and extensions

/0001 {
  /type "allow"
  /selectors '((sys|doc)view|query|[0-9-]+)'
  /extension '(json|xml)'
}

OR

/0001 {
  /type "deny"
  /selectors '((sys|doc)view|query|[0-9-]+)'
  /extension '(json|xml)'
}

Restricting Query Strings

It is highly recommended to explicitly allow query strings and exclude generic allowance through allow filter elements.

A single entry can have either glob or some combination of method, url, query, and version, but not both. The following example allows the a=* query string and denies all other query strings for URLs that resolve to the /etc node:

/filter {
 /0001 { /type "deny" /method "POST" /url "/etc/*" }
 /0002 { /type "allow" /method "GET" /url "/etc/*" /query "a=*" }
}

NOTE:

If a rule contains a /query, it only matches requests that contain a query string and match the provided query pattern.

In above example, if requests to /etc that have no query string should be allowed as well, the following rules would be required:

/filter {
 /0001 { /type "deny" /method "*" /url "/path/*" }
 /0002 { /type "allow" /method "GET" /url "/path/*" }
 /0003 { /type "deny" /method "GET" /url "/path/*" /query "*" }
 /0004 { /type "allow" /method "GET" /url "/path/*" /query "a=*" }
}