403 Forbidden on native GraphQL endpoint behind Adobe Edge Delivery Service | Community
Skip to main content
O
olsalas711
Level 4
May 6, 2025
Solved

403 Forbidden on native GraphQL endpoint behind Adobe Edge Delivery Service

  • May 6, 2025
  • 2 replies
  • 1843 views

Hello community,

I am using AEM as a Cloud Service and have a native GraphQL endpoint at
/content/cq:graphql/my-endpoint/endpoint.json

 

  • Direct calls via Postman to the Publish URL return 200 OK.
  • Local frontend fetches from http://localhost:3000 return 200 OK.
  • Deployed behind Adobe Edge Delivery Service 
    the OPTIONS preflight returns 200 OK with correct CORS headers, but the POST returns 403 Forbidden.

 

What I have tried so far:

 

  1. Dispatcher rule allowing GET, POST and OPTIONS to /content/cq:graphql/.*
  2. OSGi configs in config.publish for:
  • ReferrerFilter (allow-empty=true, allow-hosts=[""], exclude /content/cq:graphql/.)
  • CORSFilter (allowOrigins=["*"], allowMethods includes POST and OPTIONS)
  • CSRFPreventionFilter (filter.methods=["POST","PUT","DELETE"], filter.patterns excludes /content/cq:graphql/.*)

Despite these settings, the fetch still returns 403 when routed through EDS.

Does anyone know what additional EDS or CDN configuration might block these POST requests? Or any default EDS behavior, like header rewrites, that could trigger a 403?

Thank you in advance.

Oscar Salas

Best answer by olsalas711

Hi community,

 

I resolved the issue with the following configuration

 

org.apache.sling.security.impl.ReferrerFilter.cfg.json

 

{ "allow.paths": [ "/content/cq:graphql/.*" ], "allow.hosts.regexp": [ "https://.*\\.adobe\\.com(:443)?", "https://.*\\.adobe\\.net(:443)?", "https://.*\\.workfront\\.com(:443)?", "https://.*\\.workfront-dev\\.com(:443)?", "https://.*\\.dev\\.workfront\\.tech(:443)?", "https://.*\\.aem\\.live(:443)?" ], "allow.hosts": [""], "filter.enabled": true, "allow.empty": true, "allow.methods": ["GET", "POST", "OPTIONS"] }

 

 I allowed .aem.live as valid referrer.

2 replies

SantoshSai
Community Advisor
SantoshSaiCommunity Advisor
Community Advisor
May 6, 2025

Hi @olsalas711,

It should be EDS, based on Fastly - can strip or rewrite headers, block certain request types, or enforce rules (especially on POST) that differ from your AEM Publish instance.

403 Forbidden in this context usually means:

  • A header or body modification by EDS is triggering security filters.

  • EDS is blocking POSTs to “non-whitelisted” paths by default.

  • Missing or malformed Host, Origin, or custom headers expected by your CORS or CSRF filter downstream.

1. Check if EDS path is whitelisted

Adobe EDS might only allow POSTs to specific endpoints (like /content/forms, /api, etc.). You need to:

  • File a request to Adobe support or your provisioning team to whitelist /content/cq:graphql/.* in your EDS routing rules.

  • Ensure that POST to GraphQL endpoints is not stripped or blocked at the CDN edge.

2. Header Preservation in EDS

Make sure EDS is not stripping the following headers in the POST request:

  • Origin

  • Host

  • Content-Type

  • Authorization (if used)

You can configure this via cdn.yaml if you're managing your CDN routing via Adobe App Builder or Edge Config.

Example:

routes:
  - path: /content/cq:graphql/*
    allowMethods: [GET, POST, OPTIONS]
    forwardHeaders:
      - Origin
      - Host
      - Content-Type
      - Authorization

3. Double-Check CSRF and CORS Behavior

While you've configured CSRFPreventionFilter to exclude /content/cq:graphql/.*, ensure that:

  • The exact POST path and method are excluded in config.publish.

  • If using Apache Sling Referrer Filter, make sure allow-empty and allow-hosts include the edge origin host used by EDS.

References: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/headless/deployment/cross-origin-resource-sharing

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/develop-for-cross-origin-resource-sharing

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understand-cross-origin-resource-sharing

Hope that helps!

Santosh Sai
AmitVishwakarma
Community Advisor
AmitVishwakarmaCommunity Advisor
Community Advisor
May 7, 2025

Hi @olsalas711 ,

Root Cause

The issue is not AEM — it’s Adobe EDS (Fastly) intercepting or blocking the request due to:

  - Missing or stripped headers (Origin, Host, Content-Type)

  - Path not whitelisted for POST in EDS

  - Blocked methods (like POST) by default on custom paths

1. Whitelist the GraphQL Path in EDS

If using Adobe App Builder + CDN (cds.yaml) or Adobe I/O Runtime, you must define the GraphQL route explicitly

routes: - path: /content/cq:graphql/* allowMethods: [GET, POST, OPTIONS] forwardHeaders: - Origin - Host - Content-Type - Authorization

If you’re not managing EDS yourself, file a support ticket or work with Adobe provisioning team to allow POST on /content/cq:graphql/*.

2. Preserve Required Headers

Ensure these headers are not stripped or modified at EDS/CDN layer:

  - Origin

  - Host

  - Content-Type

  - Authorization (if used)

  - Referer (optional, if CSRFReferrerFilter is used)

If using cdn.yaml, add:

forwardHeaders: - Origin - Host - Content-Type - Authorization

3. Ensure CSRF and CORS Filters Are Correct

You've mostly configured this — just double-check the exact syntax and confirm path matches:

org.apache.sling.security.csrf.impl.CSRFProtectionConfig.cfg.json:

{ "filter.methods": ["POST", "PUT", "DELETE"], "filter.excluded.paths": ["/content/cq:graphql/.*"] }

com.adobe.granite.cors.impl.CORSPolicyImpl~graphql.cfg.json:

{ "allowed.origins": ["*"], "allowed.methods": ["GET", "POST", "OPTIONS"], "allowed.paths": ["/content/cq:graphql/.*"], "supports.credentials": false }

4. Debug Using curl or Postman With Verbose Mode

Run the following to inspect exactly what’s happening at the EDS level:

curl -X POST https://<your-eds-domain>/content/cq:graphql/my-endpoint/endpoint.json \ -H "Origin: https://your-frontend.com" \ -H "Content-Type: application/json" \ -H "Host: your.aem.domain" \ -d '{"query": "{yourQuery}"}' \ -v

Look for:

  - 403 status

  - Missing headers in the forwarded request

  - Fastly response headers indicating edge block

Regards,
Amit

O
olsalas711Author
Level 4
May 7, 2025

Hi @amitvishwakarma ,

Thank you for your response.

 

In the logs, I’m seeing the following warning:

 

org.apache.sling.security.impl.ReferrerFilter Rejected referrer header for POST request to /content/cq:graphql/<my-endpoint>/endpoint.json

 

I'm currently using the following configuration in my ui.config folder:

 

org.apache.sling.security.impl.ReferrerFilter.cfg.json

 

{ "allow.empty": true, "allow.hosts": [], "allow.paths": [ "/content/cq:graphql/.*" ], "allow.methods": [ "GET", "POST", "OPTIONS" ], "filter.enabled": true }

 

However, the POST request is still being rejected. Do you happen to know what might be missing or if there’s any additional configuration required?

 

Thanks in advance for your help.

O
olsalas711AuthorAccepted solution
Level 4
May 10, 2025

Hi community,

 

I resolved the issue with the following configuration

 

org.apache.sling.security.impl.ReferrerFilter.cfg.json

 

{ "allow.paths": [ "/content/cq:graphql/.*" ], "allow.hosts.regexp": [ "https://.*\\.adobe\\.com(:443)?", "https://.*\\.adobe\\.net(:443)?", "https://.*\\.workfront\\.com(:443)?", "https://.*\\.workfront-dev\\.com(:443)?", "https://.*\\.dev\\.workfront\\.tech(:443)?", "https://.*\\.aem\\.live(:443)?" ], "allow.hosts": [""], "filter.enabled": true, "allow.empty": true, "allow.methods": ["GET", "POST", "OPTIONS"] }

 

 I allowed .aem.live as valid referrer.

Terms & ConditionsAccessibility statement

Loading footer...