nagas94895061
05-08-2019
Hi Team,
We got an security issue on aem instance/server saying that our aem instance is allowing OPTIONS method calls and we need to disable that. Could you please help on this (Issue is specific to aem author/publish)
Thanks
Seran.
Arun_Patidar
MVP
One way is blocking from “Apache Sling Referrer Filter”
http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
06-08-2019
Hi Arun,
Thanks for the inputs. I added "OPTIONS" method in “Apache Sling Referrer Filter” and tried below curl command. It is showing as allowed.
Curl Cmd: curl -i -X OPTIONS http://localhost:4503
Response:
HTTP/1.1 200 OK
Date: Tue, 06 Aug 2019 09:02:56 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
Seran
anujg3325839
Hi Seran, you can try putting the deny method filters at the END of the filter section in your dispacther.any file
... all other filters ...
/1020 { /type “deny" /method "TRACE" /url "*" }
/1025 { /type “deny" /method "OPTIONS" /url "*" }
}
Hi Anuj,
Thanks for the inputs. We want to block OPTIONS HTTP method on author & publish server. The issue is already addressed on our dispatcher server.
Hi,
I tried same on vanilla AEM instance with any config changes, I get below:
Could you please with publish instance, as the error sounds like an authentication issue for author.
It is publish instance.
