Level 2

AEM6.4.1: Block OPTIONS method call in an aem instance

Forum|Forum|6 years ago
August 5, 2019
2 replies
6945 views

Hi Team,

We got an security issue on aem instance/server saying that our aem instance is allowing OPTIONS method calls and we need to disable that. Could you please help on this (Issue is specific to aem author/publish)

Thanks

Seran.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

arunpatidar

Community Advisor

One way is blocking from “Apache Sling Referrer Filter”

http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter

Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.

Arun Patidar

N

nagaseranAuthor

Level 2

Hi Arun,

Thanks for the inputs. I added "OPTIONS" method in “Apache Sling Referrer Filter” and tried below curl command. It is showing as allowed.

Curl Cmd: curl -i -X OPTIONS http://localhost:4503

Response:

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2019 09:02:56 GMT

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Allow: OPTIONS, TRACE, GET, HEAD

Content-Length: 0

Thanks

Seran

arunpatidar

Community Advisor

Hi,

I tried same on vanilla AEM instance with any config changes, I get below:

Arun Patidar

anujg3325839

Adobe Employee

Hi Seran, you can try putting the deny method filters at the END of the filter section in your dispacther.any file

... all other filters ...

/1020 { /type “deny" /method "TRACE" /url "*" }

/1025 { /type “deny" /method "OPTIONS" /url "*" }

}

N

nagaseranAuthor

Level 2

Hi Anuj,

Thanks for the inputs. We want to block OPTIONS HTTP method on author & publish server. The issue is already addressed on our dispatcher server.

Thanks

Seran

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded