Adobe Experience Manager Sites & More

olsalas711 · 12:37:00 PM

Hello community,

I am using AEM as a Cloud Service and have a native GraphQL endpoint at
/content/cq:graphql/my-endpoint/endpoint.json

Direct calls via Postman to the Publish URL return 200 OK.
Local frontend fetches from http://localhost:3000 return 200 OK.
Deployed behind Adobe Edge Delivery Service
the OPTIONS preflight returns 200 OK with correct CORS headers, but the POST returns 403 Forbidden.

What I have tried so far:

Dispatcher rule allowing GET, POST and OPTIONS to /content/cq:graphql/.*
OSGi configs in config.publish for:

ReferrerFilter (allow-empty=true, allow-hosts=[""], exclude /content/cq:graphql/.)
CORSFilter (allowOrigins=["*"], allowMethods includes POST and OPTIONS)
CSRFPreventionFilter (filter.methods=["POST","PUT","DELETE"], filter.patterns excludes /content/cq:graphql/.*)

Despite these settings, the fetch still returns 403 when routed through EDS.

Does anyone know what additional EDS or CDN configuration might block these POST requests? Or any default EDS behavior, like header rewrites, that could trigger a 403?

Thank you in advance.

Oscar Salas

olsalas711 · 5:34:04 PM

Hi community,

I resolved the issue with the following configuration

org.apache.sling.security.impl.ReferrerFilter.cfg.json

{
  "allow.paths": [
    "/content/cq:graphql/.*"
  ],
  "allow.hosts.regexp": [
    "https://.*\\.adobe\\.com(:443)?",
    "https://.*\\.adobe\\.net(:443)?",
    "https://.*\\.workfront\\.com(:443)?",
    "https://.*\\.workfront-dev\\.com(:443)?",
    "https://.*\\.dev\\.workfront\\.tech(:443)?",
    "https://.*\\.aem\\.live(:443)?"
  ],
  "allow.hosts": [""],
  "filter.enabled": true,
  "allow.empty": true,
  "allow.methods": ["GET", "POST", "OPTIONS"]
}

I allowed .aem.live as valid referrer.

元の投稿で解決策を見る

SantoshSai · 1:07:46 PM

Hi @olsalas711,

It should be EDS, based on Fastly - can strip or rewrite headers, block certain request types, or enforce rules (especially on POST) that differ from your AEM Publish instance.

403 Forbidden in this context usually means:

A header or body modification by EDS is triggering security filters.
EDS is blocking POSTs to “non-whitelisted” paths by default.
Missing or malformed Host, Origin, or custom headers expected by your CORS or CSRF filter downstream.

1. Check if EDS path is whitelisted

Adobe EDS might only allow POSTs to specific endpoints (like /content/forms, /api, etc.). You need to:

File a request to Adobe support or your provisioning team to whitelist /content/cq:graphql/.* in your EDS routing rules.
Ensure that POST to GraphQL endpoints is not stripped or blocked at the CDN edge.

2. Header Preservation in EDS

Make sure EDS is not stripping the following headers in the POST request:

Origin
Host
Content-Type
Authorization (if used)

You can configure this via cdn.yaml if you're managing your CDN routing via Adobe App Builder or Edge Config.

Example:

routes:
  - path: /content/cq:graphql/*
    allowMethods: [GET, POST, OPTIONS]
    forwardHeaders:
      - Origin
      - Host
      - Content-Type
      - Authorization

3. Double-Check CSRF and CORS Behavior

While you've configured CSRFPreventionFilter to exclude /content/cq:graphql/.*, ensure that:

The exact POST path and method are excluded in config.publish.
If using Apache Sling Referrer Filter, make sure allow-empty and allow-hosts include the edge origin host used by EDS.

References: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/headless/deploym...

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/develop-for-...

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/security/understand-c...

Hope that helps!

Santosh Sai

AmitVishwakarma · 10:06:43 PM

Hi @olsalas711 ,

Root Cause

The issue is not AEM — it’s Adobe EDS (Fastly) intercepting or blocking the request due to:

- Missing or stripped headers (Origin, Host, Content-Type)

- Path not whitelisted for POST in EDS

- Blocked methods (like POST) by default on custom paths

1. Whitelist the GraphQL Path in EDS

If using Adobe App Builder + CDN (cds.yaml) or Adobe I/O Runtime, you must define the GraphQL route explicitly

routes:
  - path: /content/cq:graphql/*
    allowMethods: [GET, POST, OPTIONS]
    forwardHeaders:
      - Origin
      - Host
      - Content-Type
      - Authorization

If you’re not managing EDS yourself, file a support ticket or work with Adobe provisioning team to allow POST on /content/cq:graphql/*.

2. Preserve Required Headers

Ensure these headers are not stripped or modified at EDS/CDN layer:

- Origin

- Host

- Content-Type

- Authorization (if used)

- Referer (optional, if CSRFReferrerFilter is used)

If using cdn.yaml, add:

forwardHeaders:
  - Origin
  - Host
  - Content-Type
  - Authorization

3. Ensure CSRF and CORS Filters Are Correct

You've mostly configured this — just double-check the exact syntax and confirm path matches:

org.apache.sling.security.csrf.impl.CSRFProtectionConfig.cfg.json:

{
  "filter.methods": ["POST", "PUT", "DELETE"],
  "filter.excluded.paths": ["/content/cq:graphql/.*"]
}

com.adobe.granite.cors.impl.CORSPolicyImpl~graphql.cfg.json:

{
  "allowed.origins": ["*"],
  "allowed.methods": ["GET", "POST", "OPTIONS"],
  "allowed.paths": ["/content/cq:graphql/.*"],
  "supports.credentials": false
}

4. Debug Using curl or Postman With Verbose Mode

Run the following to inspect exactly what’s happening at the EDS level:

curl -X POST https://<your-eds-domain>/content/cq:graphql/my-endpoint/endpoint.json \
  -H "Origin: https://your-frontend.com" \
  -H "Content-Type: application/json" \
  -H "Host: your.aem.domain" \
  -d '{"query": "{yourQuery}"}' \
  -v

Look for:

- 403 status

- Missing headers in the forwarded request

- Fastly response headers indicating edge block

Regards,
Amit

olsalas711 · 6:26:41 AM

Hi @AmitVishwakarma ,

Thank you for your response.

In the logs, I’m seeing the following warning:

org.apache.sling.security.impl.ReferrerFilter Rejected referrer header for POST request to /content/cq:graphql/<my-endpoint>/endpoint.json

I'm currently using the following configuration in my ui.config folder:

org.apache.sling.security.impl.ReferrerFilter.cfg.json

{
  "allow.empty": true,
  "allow.hosts": [],
  "allow.paths": [
    "/content/cq:graphql/.*"
  ],
  "allow.methods": [
    "GET",
    "POST",
    "OPTIONS"
  ],
  "filter.enabled": true
}

However, the POST request is still being rejected. Do you happen to know what might be missing or if there’s any additional configuration required?

Thanks in advance for your help.

olsalas711 · 5:34:04 PM

Hi community,

I resolved the issue with the following configuration

org.apache.sling.security.impl.ReferrerFilter.cfg.json

{
  "allow.paths": [
    "/content/cq:graphql/.*"
  ],
  "allow.hosts.regexp": [
    "https://.*\\.adobe\\.com(:443)?",
    "https://.*\\.adobe\\.net(:443)?",
    "https://.*\\.workfront\\.com(:443)?",
    "https://.*\\.workfront-dev\\.com(:443)?",
    "https://.*\\.dev\\.workfront\\.tech(:443)?",
    "https://.*\\.aem\\.live(:443)?"
  ],
  "allow.hosts": [""],
  "filter.enabled": true,
  "allow.empty": true,
  "allow.methods": ["GET", "POST", "OPTIONS"]
}

I allowed .aem.live as valid referrer.

Adobe Experience Manager Sites & More

403 Forbidden on native GraphQL endpoint behind Adobe Edge Delivery Service

1. Check if EDS path is whitelisted

2. Header Preservation in EDS

3. Double-Check CSRF and CORS Behavior

Santosh Sai

学習

ドキュメント

イベント

コミュニティ

サポート

リソース

Adobe アカウント

Adobe