What is the AEM Apache Sling Referrer Filter OSGI configuration?

AEM “referrer not allowed”

Out of the box, AEM denies all server names or hosts to make HTTP request to the respective running AEM publish/author instance. During a HTTP request made to the AEM publish/author, AEM checks the Referrer header configuration. If the referrer configured to allow the host(s), then AEM will full-fill the request, and if not, the AEM “referrer not allowed” error message will be shown.

Take an example of an AEM application exposes an servlet that exposes the endpoint of “/bin/stores.js”. This endpoint will return an array of store detail JSON objects. This feature will be reusable, so throughout the AEM application, on many occasions, the endpoint is being used to render HTML elements to the page using javascript. Now take an example of a microsite within the same organisation of m.site.com (mobile site) where it would like to consume “/bin/stores.js”. When the micro-site make a HTTP GET request on “/bin/stores.js”, you will get the AEM “referrer not allowed” error because the host (or m.site.com) referrer is not allowed; we must allow m.site.com in the Apache Sling Referrer Filter settings.


What is an “HTTP Referrer header”? The HTTP Referrer header identifies the address of the webpage who’s making a request. We can use this information to allow specific hosts to fulfill the HTTP request.

Read More: https://en.wikipedia.org/wiki/HTTP_referer

In OSGI Configurations in AEM (http://localhost:4502/system/console/configMgr) use the browser finder (CTRL + F) and find “Apache Sling Referrer Filter”. Click on the configuration, and let’s break it down to see what fields control what.

Breaking things down

  • Allow Empty (Boolean): only enable this if you are testing (using a REST Client). Enabling this will allow any hosts to make requests to your AEM application (remember to turn this off in your production environment).
  • Allow Hosts (String[]): allows specific hosts to make requests to your AEM instance; use string characters only.
  • Allow Regexp Host (String[]): allows specific hosts to make requests your AEM instance; use regex only.
  • Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.
Quick Note:
If you are learn by doing, you can follow the “How to make a simple HTTP post request in AEM” tutorial blog, where this tutorial will put the AEM Apache Sling Referrer Filter OSGI configuration in practice. https://sourcedcode.com/how-to-make-simple-http-post-methods-in-aem-with-a-http-rest-client.

Was this Article Helpful?

Certified AEM Developer who has been working on AEM software developer for the past 5 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top