Dispatcher security checklist
Purpose: The delivery-tier hardening list: filters, selectors, and the verification that must run from outside.
Who this page is for
| Audience | Why it matters to you |
|---|---|
| Platform engineers | Config owners |
| All engineers | Every new endpoint touches this |
Filter checklist (deny by default, then narrow allows)
- [ ] Rule /0001 denies
*; every allow after it is specific (method + path + extension + selectors) - [ ] Blocked and verified:
/crx/*,/system/*,/libs/granite/*,/etc/replication,/bin/*(except reviewed endpoints),.infinity.json, numbered-depth.N.json,.tidy.json,.sysview,.docview,.query.json,.xmldumps - [ ] POST allowed only to reviewed endpoints (forms, token) — not
/content/*broadly - [ ] Selectors pinned: allowed selector list per content path (
(card|summary|model)) — arbitrary selectors render arbitrary variants and fill the cache (DoS + cache-poison surface) - [ ] Suffix and query-string patterns constrained where used
- [ ] Debug params blocked in prod:
debugClientLibs,wcmmodeforced to disabled on publish
Beyond filters
- [ ] Dispatcher flush (/invalidate handler) accepts only publish IPs (
/allowedClients) - [ ] Error pages don't leak stack traces/version info (custom 404/50x — verify by breaking something on stage)
- [ ] Response headers scrubbed: no
X-Powered-By-style version disclosure; security headers present (TLS & headers) - [ ] Path traversal patterns (
/.., encoded variants,///) rejected — test literally - [ ] Publish instances unreachable except from dispatchers (network rule, not just habit)
Verification is external or it is fiction
A quarterly (and per-go-live) probe through the CDN from the internet: scripted curl suite of every blocked pattern above expecting 404/403, plus the allowed set expecting 200. Keep the suite in git; run it in the pipeline against stage on dispatcher config changes (farm design CI note). The config file says what you intended; only the probe says what is true.