Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

unable to block http options with AEM felix configuration

Avatar

Avatar
Validate 1
Level 3
ramgopalm545617
Level 3

Likes

8 likes

Total Posts

80 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
Level 3
ramgopalm545617
Level 3

Likes

8 likes

Total Posts

80 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile
ramgopalm545617
Level 3

22-10-2020

Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.

 

curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0

 

is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here

@Vijayalakshmi_S @Jörg_Hoh @vanegi @Arun_Patidar 

Accepted Solutions (0)

Answers (2)

Answers (2)

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,429 likes

Total Posts

3,300 posts

Correct Reply

937 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,429 likes

Total Posts

3,300 posts

Correct Reply

937 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

25-10-2020

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,133 likes

Total Posts

3,161 posts

Correct Reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,133 likes

Total Posts

3,161 posts

Correct Reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

22-10-2020

Hi,

 

AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).