Unsupported Integrations

As a composable architecture, AEM embraces integrations with customer’s preferred infrastructure, be it Content Delivery Networks, Content Authoring and Content Repositories, or Web Optimization and Analytics software.

There are a number of integration patterns that have proven to be problematic for security, availability and performance reasons. These patterns are generally discouraged by Adobe. Refer to this document for an outline of integration patterns that are frequently causing issues for AEM customers.

Unsupported Content Delivery Networks

Adobe Experience Manager supports a wide set of Content Delivery Networks (CDNs) and offers deep integrations, including optimized time-to-live (TTL) and surgical invalidation upon content or code update.

For CDNs not included in this list, following common problems can be observed:

• Caching relies on fixed TTLs, slowing down the rollout of content updates and code changes
• Caching is often misconfigured or disabled, increasing time-to-first-byte (TTFB) and decreasing web performance
• Origin requests sometimes use insecure Transport Layer Security (TLS) practices such as domain fronting, which impedes availability and security of the site

To rectify this, we recommend customers to switch to a supported CDN. Every Adobe Experience Manager license includes access to an Adobe-managed, supported CDN and we provide a guide for picking the right supported CDN.

Discouraged Security Practices

Adobe Experience Manager supports various security configurations and integrations with Web Application Firewalls (WAFs) and security tools. However, certain security practices have proven to be problematic for performance and reliability.

TLS Interception

TLS interception or SSL inspection, while intended to enhance security, often creates the following issues:

TLS interception introduces multiple challenges that can severely impact your site's performance and security posture. The additional processing required for intercepting and re-encrypting traffic creates noticeable latency, while improper certificate handling can introduce new security vulnerabilities rather than preventing them.

Furthermore, these interception practices often conflict with modern security protocols, breaking the fundamental promise of end-to-end encryption that many applications rely on. When TLS connections are intercepted, the original security guarantees between the client and server are compromised, potentially exposing sensitive data to unnecessary risks.

Finally, incomplete rollout of custom Certificate Agency (CA) certificate to developers, causing certificate rejection issues in the AEM CLI.

We recommend implementing end-to-end encryption without intermediate TLS termination points, utilizing modern security features built into supported CDNs.

Web Application Firewalls

While WAFs are essential for security, certain implementations can negatively impact site performance.

Web Application Firewalls can introduce performance challenges through synchronous request processing, complex pattern matching rules, inefficient geographic routing, and interference with CDN caching. These factors combine to create unnecessary latency and diminish the performance benefits of your content delivery architecture.

For optimal security and performance, consider using Adobe's built-in WAF security features or implementing WAF solutions through supported CDN providers.