unable to block http options with AEM felix configuration | Community
Skip to main content
R
ramgopalm545617
Level 4
October 22, 2020
Solved

unable to block http options with AEM felix configuration

  • October 22, 2020
  • 2 replies
  • 1659 views

Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.

 

curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0

 

is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here

@Vijayalakshmi_S @joerghoh @vanegi @arunpatidar 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar
Not sure, what could be the issueIf, if you want to block the request, create your own filter and block the request based on this 2 urls.

2 replies

joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
October 22, 2020

Hi,

 

AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).

    R
    ramgopalm545617Author
    Level 4
    October 23, 2020
    Hi @joerghoh, we also know that this has to be blocked at apache level, but there is a security vulnerability that AEM HTTP OPTIONS opened, so we have to fix the issue
      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      October 25, 2020

      Please check if this helps

      https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-block-http-options-request-in-aem/qaq-p/363827

      https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem6-4-1-block-options-method-call-in-an-aem-instance/td-p/321193

       

      Arun Patidar
        R
        ramgopalm545617Author
        Level 4
        October 27, 2020
        thanks for the reply, even after adding the method to apache sling referrer filter, we are still facing the issue. it's strange that the local host is giving 401 for me as well in publish even without adding any configurations, really confused what should be next steps here. @arunpatidar
          Terms & ConditionsAccessibility statement

          Loading footer...