aem-project-archetype
aem-project-archetype copied to clipboard
Disable passing on authorization header by default
In https://github.com/adobe/aem-project-archetype/blob/183706c16758fc02a8becc16d2dc8a5b55e7ef46/src/main/archetype/dispatcher.cloud/src/conf.dispatcher.d/clientheaders/default_clientheaders.any#L43 the Authorization
header is forwarded to AEM. That can be abused with certain endpoints to do brute-force credential attacks on the Basic Auth Handler (compare with https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/disable-basic-authentication/m-p/359084/highlight/true#M48638). Therefore I would argue that by default those headers should not be forwarded to the backend. The default AEM authorization relies on cookies only (and not the authorization header which is only used for OAuth and Basic Auth). As that is an immutable file and customers can only add additional headers on top, this base configuration makes it impossible to strip Authorization headers (except with workarounds like using mod_headers
)