Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.
curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here
@Vijayalakshmi_S @Jörg_Hoh @vanegi @arunpatidar
Solved! Go to Solution.
Views
Replies
Total Likes
Hi,
AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).
Views
Likes
Replies
Views
Likes
Replies