unable to block http options with AEM felix configuration

Avatar

Avatar

ramgopalm545617

Avatar

ramgopalm545617

ramgopalm545617

22-10-2020

Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.

 

curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0

 

is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here

@Vijayalakshmi_S @Jörg_Hoh @vanegi @Arun_Patidar 

Accepted Solutions (0)

Answers (2)

Answers (2)

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

25-10-2020

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

916

Correct Answer

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

916

Correct Answer

1.0K
Jörg_Hoh
Employee

22-10-2020

Hi,

 

AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).