HomeSecurity & Governance › TLS & security headers

TLS & security headers

Purpose: Transport security and browser-policy headers for an AEM delivery chain, and where each is configured.

Who this page is for

AudienceWhy it matters to you
Platform engineersConfig owners
Frontend engineersCSP co-owners

TLS baseline

The header set (configure at dispatcher/web-server; keep in the /cache /headers list so cached responses carry them)

HeaderValue shapeNote
Strict-Transport-Securitymax-age=…; includeSubDomainsSee soak note above
Content-Security-Policydefault-src 'self' + explicit vendor listThe big one — below
X-Content-Type-OptionsnosniffFree win
X-Frame-Options / frame-ancestorsDENY (or allowlist)Except paths intentionally embedded
Referrer-Policystrict-origin-when-cross-origin
Permissions-PolicyDeny unused features (camera, geolocation…)
Cache-ControlPer content type (CDN strategy)Security-adjacent: no-store on personalised responses

CSP for an AEM site, practically

Verify externally

Header presence through the CDN (curl per path family incl. cached responses, error pages, JSON endpoints — the ones that lose headers by accident), plus one of the public scanner suites per quarter. Same principle as the dispatcher probe: only external observation counts.

Quick navigation