TLS & security headers
Purpose: Transport security and browser-policy headers for an AEM delivery chain, and where each is configured.
Who this page is for
| Audience | Why it matters to you |
|---|---|
| Platform engineers | Config owners |
| Frontend engineers | CSP co-owners |
TLS baseline
- TLS 1.2+ only, modern cipher suites, at the CDN/LB edge; internal hops (CDN→dispatcher→publish) encrypted or on isolated networks — decided explicitly, not by default.
- Certificates: automated renewal with expiry monitoring (<14 days pages someone — monitoring); no wildcard sprawl beyond need.
- HSTS after an all-HTTPS soak period (start small max-age, then raise; preload only when sure — it is nearly irreversible).
The header set (configure at dispatcher/web-server; keep in the /cache /headers list so cached responses carry them)
| Header | Value shape | Note |
|---|---|---|
| Strict-Transport-Security | max-age=…; includeSubDomains | See soak note above |
| Content-Security-Policy | default-src 'self' + explicit vendor list | The big one — below |
| X-Content-Type-Options | nosniff | Free win |
| X-Frame-Options / frame-ancestors | DENY (or allowlist) | Except paths intentionally embedded |
| Referrer-Policy | strict-origin-when-cross-origin | — |
| Permissions-Policy | Deny unused features (camera, geolocation…) | — |
| Cache-Control | Per content type (CDN strategy) | Security-adjacent: no-store on personalised responses |
CSP for an AEM site, practically
- Inventory first: clientlibs, third-party tags, fonts, analytics — the CSP is that inventory expressed as policy, which is why an ungoverned tag manager makes strict CSP impossible.
- Start with
Content-Security-Policy-Report-Only+ a report endpoint; tighten until the report is quiet; then enforce. - Inline scripts are the AEM pain point (some product/tag patterns inline): prefer nonces where feasible, isolate the exceptions, don't give up and allow
unsafe-inlineeverywhere. - Author tier gets a different (laxer) policy — the authoring UI needs more than your site does; never ship the author policy to publish.
Verify externally
Header presence through the CDN (curl per path family incl. cached responses, error pages, JSON endpoints — the ones that lose headers by accident), plus one of the public scanner suites per quarter. Same principle as the dispatcher probe: only external observation counts.