Security & Governance — overview
Purpose: Index of security pages and the layered model that organises them.
Who this page is for
| Audience | Why it matters to you |
|---|---|
| All engineers | Security is a feature requirement |
| Tech leads | Governance owners |
Layers, outermost first
Edge WAF, TLS, headers → [TLS & headers]
Delivery Dispatcher filters → [Dispatcher security]
Application XSS/CSRF-safe code → [OWASP for AEM]
Platform Users, groups, service users → [Security model], [Service users]
Data PII discipline → [PII & data handling]
Process Audit, governance, patching → [Audit], [Content governance], [Vulnerability & patch]
| Page | Covers |
|---|---|
| Security model overview | Principals, ACLs, authentication surfaces |
| Least privilege & service users | Backend code without admin |
| Dispatcher security checklist | The delivery-tier gate |
| OWASP for AEM | XSS, CSRF, injection in AEM terms |
| TLS & security headers | Transport and browser policy |
| PII & data handling | Personal data discipline |
| Audit & compliance logging | Proving who did what |
| Content governance & approval | Regulated-content controls |
| Vulnerability & patch governance | Staying defensibly current |
Per-feature developer gate: the security checklist in Production Readiness.