Aeon 6.0 Hotfix: API File Uploads, OAuth Email & Web Security
Released - March 30th, 2026
Overview​
This hotfix delivers five changes to Aeon 6.0:
- API File Uploads - File uploads for photoduplication requests now use the Aeon API instead of the previous SFTP-based mechanism.
- OAuth Email (SMTP) - Outbound email delivery now supports OAuth 2.0 authentication for Microsoft 365 and Google Workspace.
- Content Security Policy (CSP) Headers - Optional CSP headers to restrict which external resources the browser can load.
- Subresource Integrity (SRI) - Automatic integrity hash generation for scripts and stylesheets.
- Photoduplication Upload Improvements - File type filtering and upload history improvements.
API File Uploads​
What Changed​
File uploads and downloads for photoduplication requests and user attachments now go through the Aeon API. The previous approach used an embedded SFTP server in the System Manager, which has been removed.
What You Need to Do​
- Set the Base API URL - After updating, configure the
BaseApiUrlcustomization key in Customization Manager under System > System. This should point to your Aeon API base URL (e.g.,https://yourserver/aeonapi). If you are upgrading from an earlier 6.0 release that already has this value configured, the update will automatically migrate it to the correct format if needed. - Verify API accessibility - The Aeon Client must be able to reach the Web Platform API over HTTP/HTTPS for file operations to work.
- Firewall - Port 26710 (SSH) can be closed on the System Manager server as it is no longer used.
What's Removed​
- The
FileServicePortandFileServiceFingerprintcustomization keys are automatically removed during the update as they are no longer used. - The System Manager no longer runs an SFTP server.
OAuth Email (SMTP)​
What Changed​
Aeon can now use OAuth 2.0 Client Credentials authentication when sending email, in addition to traditional SMTP username and password authentication. This is necessary for institutions using Microsoft 365 or Google Workspace, which have deprecated or are deprecating basic SMTP authentication.
Supported Providers​
| Provider | Notes |
|---|---|
| Microsoft 365 | Requires Tenant ID, Client ID, and Client Secret from Microsoft Entra ID |
| Google Workspace | Requires Client ID and Client Secret from Google Cloud Console |
| Custom | For other OAuth-compatible email providers — all fields are manually configurable |
How to Configure​
- Register an OAuth application with your email provider:
- Microsoft 365: Register in Microsoft Entra ID and grant the
Mail.Sendpermission. - Google Workspace: Register in Google Cloud Console and enable the Gmail API.
- Microsoft 365: Register in Microsoft Entra ID and grant the
- In Aeon Customization Manager, navigate to System > Email.
- Click New Profile and select your provider type.
- Enter the required credentials (Tenant ID, Client ID, Client Secret).
- Ensure the
SMTPUserIDcustomization key is set to the email address that will send messages.
Important Notes​
- OAuth is optional. If no OAuth profile is configured, Aeon continues to use basic SMTP authentication. No action is required for sites that do not use Microsoft 365 or Google Workspace for email.
- If an OAuth profile is configured, it takes precedence over basic SMTP credentials.
- Only one OAuth profile can be configured at a time.
- The Client Secret is stored encrypted in the database. A
DatabaseUniqueIDcustomization key is auto-generated during the update to support this encryption. Do not modify this value.
Content Security Policy (CSP) Headers​
What Changed​
The Aeon web interface can now send a Content-Security-Policy HTTP header on every page. CSP tells the browser which domains are allowed to load scripts, styles, fonts, images, and frames, reducing the risk of cross-site scripting (XSS) attacks.
How to Enable​
CSP is off by default and must be opted into:
| Key | Default | Location |
|---|---|---|
CSPEnabled | No | Customization Manager > Web Interface > General |
How It Works​
The CSP policy automatically adjusts based on the type of page being served:
- Standard pages (request forms, search, user info, etc.) — Allows the CDN domains used by the default Aeon web pages (jQuery, Bootstrap, Font Awesome, Google Fonts) and permits inline scripts/styles for backward compatibility with existing web templates.
- Payment pages (credit card payment form) — Strictest policy. Inline scripts are not allowed. The payment provider domain is automatically detected from your configured payment settings.
- Captcha pages (logon, registration) — Automatically adds the appropriate captcha provider domains (Google reCAPTCHA, hCaptcha, or MTCaptcha) based on your
CaptchaProvidersetting.
Adding Custom Domains​
If your site loads resources from domains not covered by the base policy (e.g., a university analytics service or a custom font provider), you can whitelist them using these customization keys:
| Key | What It Allows | Example Value |
|---|---|---|
CSPAdditionalScriptDomains | Additional script and API domains | analytics.university.edu |
CSPAdditionalStyleDomains | Additional stylesheet and font domains | fonts.googleapis.com fonts.gstatic.com |
CSPAdditionalImageDomains | Additional image domains | cdn.university.edu |
Multiple domains can be separated by semicolons, commas, or spaces.
Recommendation​
Enable CSP in a test environment first. Check the browser console for any CSP violation messages — these indicate resources your site loads that are not yet covered by the policy. Add any missing domains to the appropriate customization key before enabling in production.
Note: Atlas-hosted Aeon customers in the PCI environment are required to have CSPEnabled set to Yes.
Subresource Integrity (SRI)​
What Changed​
The Aeon Web DLL now automatically computes SHA-384 integrity hashes for local JavaScript and CSS files. When the browser loads these files, it verifies the hash matches, ensuring the file has not been tampered with.
This is handled through a new <#ASSET> template tag that replaces raw <script> and <link> tags in the default web pages. The tag automatically:
- Detects the file type (
.css= stylesheet, everything else = script) - Reads the file from disk and computes a SHA-384 hash
- Caches the hash for performance, recomputing only when the file changes
- Falls back gracefully if a file is missing — the page still loads, just without integrity verification
Tag Parameters​
| Parameter | Required | Description |
|---|---|---|
src | Yes | Path to a local file (e.g., js/custom.js) or a full external URL (e.g., https://code.jquery.com/...) |
integrity | No | Manual integrity hash for external URLs. Ignored for local files (computed automatically). |
Any additional attributes are passed through to the generated HTML tag. This includes attributes like media, data-*, async, defer, etc.
<!-- media attribute passes through to the <link> tag -->
<#ASSET src="css/print.css" media="print">
<!-- data-cfasync passes through to the <script> tag -->
<#ASSET src="js/cookieconsent.min.js" data-cfasync="false">
<!-- async and defer pass through as boolean attributes -->
<#ASSET src="https://www.google.com/recaptcha/api.js" async defer>
External CDN Resources​
External CDN references (e.g., jQuery, Bootstrap) do not need to use the <#ASSET> tag — standard <script> and <link> tags with a manually specified integrity attribute will continue to work. However, for PCI compliance, all external scripts and stylesheets must have an integrity attribute with a valid SRI hash.
Impact on Customized Web Pages​
Customized web pages using raw <script> or <link> tags for local files will continue to work functionally, but will not have SRI protection unless migrated to the <#ASSET> format.
Atlas-hosted customers have customized web pages in their own GitHub repositories. These pages will be updated to use <#ASSET> tags by Atlas staff as part of the hotfix rollout. No action is needed, but please verify your web pages are working correctly after the update.
Self-hosted customers should update their customized web pages at their convenience. SRI is recommended but not required for self-hosted environments.
To migrate, replace your tags with the <#ASSET> format:
<!-- Before -->
<script src="js/custom.js"></script>
<link rel="stylesheet" href="css/custom.css">
<!-- After -->
<#ASSET src="js/custom.js">
<#ASSET src="css/custom.css">
Photoduplication Upload Improvements​
- When uploading files, you can now filter by file type (PDF, Images, or All Files). Your selected filter is remembered the next time you open the upload dialog.
- Upload history now includes the filename (e.g.,
"Photoduplication item uploaded: scan001.pdf") instead of a generic message. - Fixed an issue where TIFF files could fail to appear when using the Images filter in the upload dialog.