Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.
curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.htmlHTTP/1.1 200 OKDate: Thu, 22 Oct 2020 17:42:30 GMTX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINAllow: OPTIONS, TRACE, GET, HEADContent-Length: 0
is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here
@Vijayalakshmi_S @Jörg_Hoh @vanegi @Arun_Patidar
Please check if this helps
AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).