Secure Web Files - BloomReach Experience - Open Source CMS
07-01-2019

Secure Web Files

Introduction

Goal

Configure which web files are publicly accessible.

Background

Web files are static resources used by the web application. Some must be publicly accessible so the browser client can use them to render a web page, e.g. CSS and Javascript files. Others, such as Freemarker templates, are only used server-side and should be secured from public access. Which web files are publicly accessible is configured through a whitelist.

Whitelisting of Web Files

Which web files should be publicly (http/https) accessible is configured through a whitelist. This is a file called hst-whitelist.txt located in the bundle's root directory. When the bundle's root directory is site, the whitelist is located in the project at

/repository-data:
  /webfiles:
    /src:
      /main:
        /resources:
          /site:
            /hst-whitelist.txt:

Projects created using the Maven archetype contain a default hst-whitelist.txt that grants public access to the folders css/fonts/ and js/. The default contents of hst-whitelist.txt are:

##########################################################################
#                                                                        #
#   This file must contain all files and folders that                   #
#   must be publicly available over http. Typically folders              #
#   that contain server side scripts, such a freemarker                  #
#   templates, should not be added as they in general should             #
#   not be publicly available.                                           #
#                                                                        #
#   The whitelisting is *relative* to the 'web file bundle root'         #
#   which is the folder in which this hst-whitelist.txt file is          #
#   located.                                                             #
#                                                                        #
#   Examples assuming the web file bundle root is 'site':                #
#                                                                        #
#   css/       : whitelists all descendant web files below 'site/css/'   #
#   common.js  : whitelists the file 'site/common.js'                    #
#                                                                        #
#   Note that the whitelisting is 'starts-with' based, thus for          #
#   example whitelisting 'css' without '/' behind it, whitelists all     # 
#   files and folders that start with 'css'                              #
#                                                                        #
##########################################################################

css/
fonts/
js/
As of HST 3.1.1 (BloomReach Experience Manager 10.1) a hst-whitelist.txt file is required. If a hst-whitelist.txt file is not present, then none of the web files are publicly accessible.
Make sure that *.txt is among the Included Files in your Web Files Configuration to ensure that hst-whitelist.txt gets imported into the repository. As of Web Files 2.0.1 and BloomReach Experience Manager 10.0.3 *.txt is included in the default configuration.
Note that the whitelisting is 'starts-with' based, e.g. whitelisting 'css' without '/' behind it, whitelists all files and folders that start with 'css'
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?