Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.
curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
Allow: OPTIONS, TRACE, GET, HEAD
is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here
AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).