Sign in to Community
Sign in to view all badges
Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.
curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.htmlHTTP/1.1 200 OKDate: Thu, 22 Oct 2020 17:42:30 GMTX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINAllow: OPTIONS, TRACE, GET, HEADContent-Length: 0
is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here
@Vijayalakshmi_S @Jörg_Hoh @vanegi @Arun_Patidar
Please check if this helps
AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).