Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM6.4.1: Block OPTIONS method call in an aem instance

Avatar

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
nagas94895061
Level 1

05-08-2019

Hi Team,

We got an security issue on aem instance/server saying that our aem instance is allowing OPTIONS method calls and we need to disable that. Could you please help on this (Issue is specific to aem author/publish)

Thanks

Seran.

Replies

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

05-08-2019

One way is blocking from “Apache Sling Referrer Filter”

http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter

  • Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.

Avatar

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
nagas94895061
Level 1

06-08-2019

Hi Arun,

Thanks for the inputs. I added "OPTIONS" method in “Apache Sling Referrer Filter” and tried below curl command. It is showing as allowed.

Curl Cmd: curl -i -X OPTIONS http://localhost:4503

Response:

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2019 09:02:56 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Thanks

Seran

Avatar

Avatar
Give Back 5
Level 3
anujg3325839
Level 3

Likes

27 likes

Total Posts

26 posts

Correct Reply

8 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back
Boost 5
Boost 3
View profile

Avatar
Give Back 5
Level 3
anujg3325839
Level 3

Likes

27 likes

Total Posts

26 posts

Correct Reply

8 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back
Boost 5
Boost 3
View profile
anujg3325839
Level 3

06-08-2019

Hi Seran, you can try  putting the deny method filters at the END of the filter section in your dispacther.any file

... all other filters ...

/1020 { /type “deny" /method "TRACE" /url "*" }

/1025 { /type “deny" /method "OPTIONS" /url "*" }

}

Avatar

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
nagas94895061
Level 1

06-08-2019

Hi Anuj,

Thanks for the inputs. We want to block OPTIONS HTTP method on author & publish server. The issue is already addressed on our dispatcher server.

Thanks

Seran

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

06-08-2019

Hi,

I tried same on vanilla AEM instance with any config changes, I get below:

Capture3.PNG

Avatar

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
nagas94895061
Level 1

Like

1 like

Total Posts

8 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
nagas94895061
Level 1

06-08-2019

Hi Arun,

Could you please with publish instance, as the error sounds like an authentication issue for author.

Thanks

Seran

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

06-08-2019

Hi,

It is publish instance.