{"id":17933360,"url":"https://github.com/apache/sling-org-apache-sling-security","last_synced_at":"2025-06-11T07:38:56.761Z","repository":{"id":26133659,"uuid":"107434866","full_name":"apache/sling-org-apache-sling-security","owner":"apache","description":"Apache Sling Security","archived":false,"fork":false,"pushed_at":"2025-03-13T06:26:00.000Z","size":169,"stargazers_count":5,"open_issues_count":2,"forks_count":9,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-03-19T03:00:06.009Z","etag":null,"topics":["java","sling"],"latest_commit_sha":null,"homepage":"https://sling.apache.org/","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apache.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-10-18T16:33:29.000Z","updated_at":"2025-03-13T06:26:04.000Z","dependencies_parsed_at":"2025-03-11T07:30:26.812Z","dependency_job_id":null,"html_url":"https://github.com/apache/sling-org-apache-sling-security","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fsling-org-apache-sling-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fsling-org-apache-sling-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fsling-org-apache-sling-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apache%2Fsling-org-apache-sling-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apache","download_url":"https://codeload.github.com/apache/sling-org-apache-sling-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245222795,"owners_count":20580236,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","sling"],"created_at":"2024-10-28T21:39:43.781Z","updated_at":"2025-06-11T07:38:56.732Z","avatar_url":"https://github.com/apache.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Apache Sling](https://sling.apache.org/res/logos/sling.png)](https://sling.apache.org)\n\n\u0026#32;[![Build Status](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-security/job/master/badge/icon)](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-security/job/master/)\u0026#32;[![Test Status](https://img.shields.io/jenkins/tests.svg?jobUrl=https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-security/job/master/)](https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-security/job/master/test/?width=800\u0026height=600)\u0026#32;[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=apache_sling-org-apache-sling-security\u0026metric=coverage)](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-security)\u0026#32;[![Sonarcloud Status](https://sonarcloud.io/api/project_badges/measure?project=apache_sling-org-apache-sling-security\u0026metric=alert_status)](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-security)\u0026#32;[![JavaDoc](https://www.javadoc.io/badge/org.apache.sling/org.apache.sling.security.svg)](https://www.javadoc.io/doc/org.apache.sling/org.apache.sling.security)\u0026#32;[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.apache.sling/org.apache.sling.security/badge.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.apache.sling%22%20a%3A%22org.apache.sling.security%22)\u0026#32;[![Contrib](https://sling.apache.org/badges/status-contrib.svg)](https://github.com/apache/sling-aggregator/blob/master/docs/status/contrib.md) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)\n\n# Apache Sling Security\n\nThis module is part of the [Apache Sling](https://sling.apache.org) project.\n\nThe Apache Sling Security module provides CSRF protection through a filter checking the referrer and a content disposition filter. This OSGi bundle can be used as a standalone bundle outside of Apache Sling - in that case only the referrer check functionality is available as the content disposition filter depends on the Apache Sling Framework\n\n## Referrer Filter (CSRF Protection)\n\nConfiguring the Apache Sling Referrer Filter involves setting up an OSGi configuration to manage which referrers are allowed to access your application. Here are some of the options:\n\n- **Allow Empty**: Determines if requests with empty or missing referrer headers are allowed. This should typically be set to `false` for security reasons.\n- **Allow Hosts**: Specifies a list of allowed hosts for the referrer. These are matched against the full referrer URL.\n- **Allow Regexp Hosts**: Allows using regular expressions to match referrer hosts.\n- **Filter Methods**: Specifies which HTTP methods (e.g., POST, PUT, DELETE) are filtered by the Referrer Filter.\n- **Exclude Regexp User Agents**: Allows excluding certain user agents from referrer checks.\n- **Exclude Paths**: Specifies paths that should not be checked for referrers.\n\n### Sample Configuration\n\nThe filter can be configured through an OSGi configuration for the PID `org.apache.sling.security.impl.ReferrerFilter`. This is a sample configuration in JSON format:\n\n```json\n{\n  \"allow.empty\": false,\n  \"allow.hosts\": [\"mysite.com\", \"localhost\"],\n  \"allow.hosts.regexp\": [],\n  \"filter.methods\": [\"POST\", \"PUT\", \"DELETE\", \"COPY\", \"MOVE\"],\n  \"exclude.agents.regexp\": [],\n  \"exclude.paths\": []\n}\n```\n\nIn addition it is possible to amend the configuration by additional OSGi factory configurations for the factory PID `org.apache.sling.security.impl.ReferrerFilterAmendmentImpl`. This is a sample configuration in JSON format:\n\n```json\n{\n  \"allow.hosts\": [\"mysite.com\", \"localhost\"],\n  \"allow.hosts.regexp\": [],\n  \"exclude.agents.regexp\": [],\n  \"exclude.paths\": []\n}\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fsling-org-apache-sling-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapache%2Fsling-org-apache-sling-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapache%2Fsling-org-apache-sling-security/lists"}