Expand my Community achievements bar.

SOLVED

How to block HTTP OPTIONS request in AEM

Avatar

Level 4

We recently got a security vulnerability as below.

 

"OPTIONS method returned values including itself"

 

we wanted to block at AEM level using Apache Sling referrer filter by adding OPTIONS in 'filter.methods', and post updating the configurations, i was still able to get response for the below CURL request.

 

curl -i -X POST https://test.*****.com/

 

HTTP/1.1 200 OK
Date: Tue, 26 May 2020 18:28:02 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
Content-Security-Policy: frame-ancestors 'self';
Content-Type: text/html

 

request to please help me with any other config through which the OPTIONS method is blocked for all the URL's hosted on this AEM instance.

1 Accepted Solution

Avatar

Correct answer by
Level 5

You can block it an the dispatcher level using the below config

 

/1040 { /type “deny" /method "OPTIONS" /url "*" }

 

Updating the Apache Referrer Filter to include OPTIONS method would only check if there is a referrer header in the request when you request using OPTIONS method.

View solution in original post

7 Replies

Avatar

Correct answer by
Level 5

You can block it an the dispatcher level using the below config

 

/1040 { /type “deny" /method "OPTIONS" /url "*" }

 

Updating the Apache Referrer Filter to include OPTIONS method would only check if there is a referrer header in the request when you request using OPTIONS method.

Avatar

Level 4
so if we do the configuration in AEM to stop the OPTIONS methods, how do we test it?

Avatar

Level 5
curl -i -X OPTIONS http://localhost:4502/<path-of-a-page>.html you can use this to test after the config is updated, but if you pass a valid referrer header, it will return a response.

Avatar

Employee

Review the following document. There are some OSGI settings that should be changed on your publish and author productive instances to avoid internal information leaking to the public. 

https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...

Avatar

Level 4

Hi Hamid,

 

thanks for the reply, i was not able find the exact configurations which would resolve my issue. could you please help me with something specific to my issue.

Avatar

Employee

It seems in your case the info is released by Apache HTTP server. You may to check ServerTokens configuration that could contribute to this:

https://httpd.apache.org/docs/2.4/es/mod/core.html#servertokens