Hello, I'm working to prepare our deployment of Sling based CMS in production. I could use some feedback and help to secure Sling. I wish to reduce the attack surface by removing features that are not needed in my setup. This work should help other people with their particular setups.
To bootstrap the process I created a git repo to serve as a sandbox [1]. The README there has more information on the goals and what you will find in the repo. Contributions are more than welcomed. First feedback: I did not found a quick way to get started in building my custom distribution. Eventually I copy-pasted that project and updated the pom.xml [2]. This initial step could be made easier by Sling - maybe a maven artifact? ---- I would like to reduce the attack surface of Sling by removing all the dependencies that I don't use. One problem that I have is that is difficult to find out what is used and what is not. I plan to use Sling + Composum + Oak RDMBS. That means I could get rid of Mongo, Slinghsot, Webdav dependencies and other. We don't plan to use Sling features yet except the Composum functionality. After we get some experience with Sling we will be using it more and more. Since I plan to work in Cluster mode, I might deploy the removed functionality (Webdav, etc) on another server (maybe not public ?) Could you help me out to identify/split these services? Regards, [1] https://github.com/netdava/sling-cms-sandbox [2] http://altereos.com/2017/05/how-to-create-a-custom-distribution-of-apache-sling-to-run-your-sling-application/
signature.asc
Description: OpenPGP digital signature
