CQ Security Checklist
Miscellaneous Administration
CQ Security Checklist
There are few security checklist one should go through before using CQ Instance on production. We will cover high level important security checklist here
- Change Default Password
CQ OOTB has admin password as "admin" and there are other OOTB account having repository access. After installing CQ Change admin password.
For this go to http://<server>:<port>/libs/granite/security/content/admin.html
Chose Admin account from left
Click on edit, new password and change password
- Disable WebDav
Webdav allow you to connect to repository through webdav client. It also allows principals having access to repository to edit or change content or code from CRXDE light. You can do following to disable webdav access
- Connect to the Felix Management Console running on: http://<host>:<port>/system/console
- go to HOST:PORT/system/console/bundles.
- Disable Apache Sling Simple WebDAV Access to repositories (org.apache.sling.jcr.webdav) and Sling DavEx Access to repositories (org.apache.sling.jcr.davex) by clicking sto button
- Restrict Access Via Dispatcher
Dispatcher is powerful way for restricting access to CQ instance. You can use /filters section of dispatcher.any to restrict access to unwanted access to repository. There are some basic rules you should follow to restrict access to repository.
- Only allow what is needed. Usually /content and /etc/designs location is accessed by visitor
- Follow deny all and then allow specific path rule.
- Do not allow POST, unless needed
- Sample filter section will look like this
Dispatcher Filter Section
# only handle the requests in the following acl. default is 'none'
# the glob pattern is matched against the first request line
/filter
{
# deny everything and allow specific entries
/0001 { /type "deny" /glob "*" }
# open consoles
# /0012 { /type "allow" /glob "* /crx/*" } # allow content repository
# /0013 { /type "allow" /glob "* /system/*" } # allow OSGi console
# allow non-public content directories
# /0021 { /type "allow" /glob "* /apps/*" } # allow apps access
# /0022 { /type "allow" /glob "* /bin/*" }
/0023 { /type "allow" /glob "* /content*" } # disable this rule to allow mapped content only
# /0024 { /type "allow" /glob "* /libs/*" }
# /0025 { /type "deny" /glob "* /libs/shindig/proxy*" } # if you enable /libs close access to proxy
# /0026 { /type "allow" /glob "* /home/*" }
# /0027 { /type "allow" /glob "* /tmp/*" }
# /0028 { /type "allow" /glob "* /var/*" }
# enable specific mime types in non-public content directories
/0041 { /type "allow" /glob "* *.css *" } # enable css
/0042 { /type "allow" /glob "* *.gif *" } # enable gifs
/0043 { /type "allow" /glob "* *.ico *" } # enable icos
/0044 { /type "allow" /glob "* *.js *" } # enable javascript
/0045 { /type "allow" /glob "* *.png *" } # enable png
/0046 { /type "allow" /glob "* *.swf *" } # enable flash
/0047 { /type "allow" /glob "* *.svg *" } # enable SVG
/0048 { /type "allow" /glob "* *.woff *" } # enable woff
/0049 { /type "allow" /glob "* *.ttf *" } # enable ttf
/0050 { /type "allow" /glob "* *.eot *" } # enable eot
/0051 { /type "allow" /glob "* *.jpg *" } # enable jpg
# enable features
/0061 { /type "allow" /glob "POST /content/[.]*.form.html" } # allow POSTs to form selectors under content
/0062 { /type "allow" /glob "* /libs/cq/personalization/*" } # enable personalization
/0063 { /type "allow" /glob "POST /content/[.]*.commerce.cart.json" } # allow POSTs to update the shopping cart
# deny content grabbing
/0081 { /type "deny" /glob "GET *.infinity.json*" }
/0082 { /type "deny" /glob "GET *.tidy.json*" }
/0083 { /type "deny" /glob "GET *.sysview.xml*" }
/0084 { /type "deny" /glob "GET *.docview.json*" }
/0085 { /type "deny" /glob "GET *.docview.xml*" }
/0086 { /type "deny" /glob "GET *.*[0-9].json*" }
/0087 { /type "deny" /glob "GET *.feed.xml*" }
# /0088 { /type "allow" /glob "GET *.1.json*" } # allow one-level json requests
# deny query
# This is only required if dispatching for CQ 5.5 or older
/0090 { /type "deny" /glob "* *.query*" }
}
You have to add specific rules for vanity URL in this case.
- Disable POST using referral filter
If POST is required by your application, You can disable POST by other applications using referral filter setting in felix console. For that
- Go to felix console HOST:PORT/system/console/configMgr
- Search for referral filter and change setting
- Put your CQ instances within DMZ to avoid virus attack
Important Resources:
Here we just covered high level of Security checklist. detail information can be obtained from https://dev.day.com/docs/en/cq/current/deploying/security_checklist.html