Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

AEM6.4.1: Block OPTIONS method call in an aem instance

Avatar

Level 2

Hi Team,

We got an security issue on aem instance/server saying that our aem instance is allowing OPTIONS method calls and we need to disable that. Could you please help on this (Issue is specific to aem author/publish)

Thanks

Seran.

7 Replies

Avatar

Community Advisor

One way is blocking from “Apache Sling Referrer Filter”

http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter

  • Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.

Avatar

Level 2

Hi Arun,

Thanks for the inputs. I added "OPTIONS" method in “Apache Sling Referrer Filter” and tried below curl command. It is showing as allowed.

Curl Cmd: curl -i -X OPTIONS http://localhost:4503

Response:

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2019 09:02:56 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Thanks

Seran

Avatar

Community Advisor

Hi,

I tried same on vanilla AEM instance with any config changes, I get below:

Capture3.PNG

Avatar

Level 2

Hi Arun,

Could you please with publish instance, as the error sounds like an authentication issue for author.

Thanks

Seran

Avatar

Level 3

Hi Seran, you can try  putting the deny method filters at the END of the filter section in your dispacther.any file

... all other filters ...

/1020 { /type “deny" /method "TRACE" /url "*" }

/1025 { /type “deny" /method "OPTIONS" /url "*" }

}

Avatar

Level 2

Hi Anuj,

Thanks for the inputs. We want to block OPTIONS HTTP method on author & publish server. The issue is already addressed on our dispatcher server.

Thanks

Seran