We recently got a security vulnerability as below.
"OPTIONS method returned values including itself"
we wanted to block at AEM level using Apache Sling referrer filter by adding OPTIONS in 'filter.methods', and post updating the configurations, i was still able to get response for the below CURL request.
curl -i -X POST https://test.*****.com/
HTTP/1.1 200 OK
Date: Tue, 26 May 2020 18:28:02 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
Content-Security-Policy: frame-ancestors 'self';
Content-Type: text/html
request to please help me with any other config through which the OPTIONS method is blocked for all the URL's hosted on this AEM instance.