Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

AEM6.4.1: Block OPTIONS method call in an aem instance

Avatar

Level 2
Level 2
8/5/19 6:41:50 AM

Hi Team,

We got an security issue on aem instance/server saying that our aem instance is allowing OPTIONS method calls and we need to disable that. Could you please help on this (Issue is specific to aem author/publish)

Thanks

Seran.

Views

6.9K

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
7 Replies

Avatar

Community Advisor
Community Advisor
8/5/19 9:11:26 AM

One way is blocking from “Apache Sling Referrer Filter”

http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter

  • Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.
Arun Patidar

AEM LinksLinkedIn

Views

6.7K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/6/19 2:07:59 AM
In response to arunpatidar

Hi Arun,

Thanks for the inputs. I added "OPTIONS" method in “Apache Sling Referrer Filter” and tried below curl command. It is showing as allowed.

Curl Cmd: curl -i -X OPTIONS http://localhost:4503

Response:

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2019 09:02:56 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Thanks

Seran

Views

6.7K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/6/19 3:24:49 AM
In response to nagas94895061

Hi,

I tried same on vanilla AEM instance with any config changes, I get below:

Capture3.PNG

Arun Patidar

AEM LinksLinkedIn

Views

6.7K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/6/19 3:38:06 AM
In response to arunpatidar

Hi Arun,

Could you please with publish instance, as the error sounds like an authentication issue for author.

Thanks

Seran

Views

6.7K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/6/19 3:56:04 AM
In response to nagas94895061

Hi,

It is publish instance.

Arun Patidar

AEM LinksLinkedIn

Views

6.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
8/6/19 2:23:29 AM

Hi Seran, you can try  putting the deny method filters at the END of the filter section in your dispacther.any file

... all other filters ...

/1020 { /type “deny" /method "TRACE" /url "*" }

/1025 { /type “deny" /method "OPTIONS" /url "*" }

}

Views

6.7K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/6/19 2:40:06 AM
In response to anujg3325839

Hi Anuj,

Thanks for the inputs. We want to block OPTIONS HTTP method on author & publish server. The issue is already addressed on our dispatcher server.

Thanks

Seran

Views

6.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
What an ideal MCP server for AEM should look like ?

Views

1.1K

Likes

0

Replies

4
What’s the Most Underrated AEM Feature You Can’t Live Without?

Views

2.2K

Likes

0

Replies

1
Headless AEM: Are We Building for the Future or Just Adding Complexity?

Views

26.2K

Likes

2

Replies

1
AEM 6.5 EOL: Upgrade, Migrate, or Wait—What’s the Smart Move?

Views

2.8K

Likes

6

Replies

17
👋 Welcome New AEM Community Members — August 2025

Views

3.5K

Likes

14

Replies

17