Adobe Experience Manager Sites & More

Hi @ButhpurKiran ,

Thank you for the quick response.

After reviewing the OptionsBleed vulnerability, I noticed that according to Apache's documentation, the issue was resolved in version 2.4.28, which was released back in October 2017. However, the `security.conf` file was added in 2019 - 2 years after the vulnerability fix.

This raises question: In 2019, was AMS still running Apache HTTPD version earlier than 2.4.28 or was there another reason to block the Options method?

Thank you for your insights!

Regards,

Rustam 

Hi,

This Apache version for your environment can be checked in AMS that is in use for your applications.

Enter either 

httpd -v or apachectl -v 

Alternatively, you can unblock the pre-flight calls with below approach
(PS: Browsers performs OPTIONS calls to check whether it is safe to send cross origin request to server. Please check all the files before making changes, these are for graphql usage generally used for headless(accessing ContentFragments through persisted graphql) implementations. The paths may change according to your project requirements.)

In your Adobe Experience Manager (AEM) Dispatcher configuration, you can modify your filters.any file and Apache's virtual host configuration. This setup ensures that preflight requests are processed correctly without compromising security.

1. Update filters.any in Dispatcher Configuration

Add the following rule to your filters.any file to allow OPTIONS requests for specific paths, such as GraphQL endpoints

/0060 { /type "allow" /method "(POST|OPTIONS)" /url "/content/_cq_graphql/*/endpoint.json" }

/0061 { /type "allow" /method "(GET|POST|OPTIONS)" /url "/graphql/execute.json*" }

These rules permit OPTIONS requests for the specified GraphQL endpoints, which is essential for CORS preflight checks.

2. Configure Apache Virtual Host for CORS

In your Apache virtual host configuration file (e.g., dispatcher/src/conf.d/available_vhosts/<example>.vhost), add the following CORS headers to handle preflight requests.

<VirtualHost *:80>

  ...

  <IfModule mod_headers.c>

    Header always set Access-Control-Allow-Origin "*"

    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"

    Header always set Access-Control-Allow-Headers "Authorization, Content-Type, Accept"

    Header always set Access-Control-Max-Age "600"

  </IfModule>

  ...

</VirtualHost>

This configuration allows cross-origin requests from any origin (*), which is suitable for development environments. For production, replace * with specific trusted origins to enhance security.

3. Ensure Authentication Excludes OPTIONS Method

If your server uses Basic Authentication, ensure that OPTIONS requests are excluded from authentication checks. Add the following to your Apache configuration:

<LimitExcept OPTIONS>

  Require valid-user

</LimitExcept>

This directive ensures that OPTIONS requests are not blocked by authentication, which is crucial for preflight requests to succeed.

4. Restart Apache Server

After making these changes, restart your Apache server to apply the new configurations:

sudo systemctl restart apache2

By implementing these configurations, your AEM Dispatcher will correctly handle CORS preflight requests, allowing for secure cross-origin interactions, especially for endpoints like GraphQL.

Thanks,

Kind regards,

Kiran Buthpur

Thank you @ButhpurKiran !

Hello @arunpatidar ,

Thank you very much for providing the resource and suggestions.

I will communicate with our Dev team to explore whether switching to an AJAX request is a viable solution. We are considering a proxy setup as a last-resort solution.

While I understand potential risks associated with OPTIONS requests, it's worth noting that browsers still send them quite frequently, and as such, it seems reasonable to consider them legitimate in many cases. Additionally, I couldn't identify any specific security issues tied to handling OPTIONS requests in nginx. 

Thank you once again for your assistance and insights, it's been incredicly helpful.

Regards,

Rustam 

Hi @arunpatidar ,

I've communicated with our Dev team, and it turned out that they are already using AJAX requests rather than Fetch. Despite this, browser keeps sending preflight requests.

Regards,

Rustam

Hi @user62746 

For simple requests OPTIONS call does not triggered. Here are the explanation of simple request - https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests 

Arun Patidar

Hi @arunpatidar ,

In the link you've shared, it is mentioned

I assume it is the Authorization header we have that made the request not simple.

Is my understanding correct?

Hi @user62746 

Yes, thats true, simple requests don't allow for custom HTTP headers. This is typically problematic for authorized API calls that use the Authorization: Bearer <Token> pattern.

Arun Patidar

Hi @arunpatidar 

Yes, so I assume that Simple requests are not part of our use case.

Thank you for your help, I really appreciate it!

Regards,

Rustam

Clear insights! Thanks for sharing.