Expand my Community achievements bar.

Join expert-led, customer-led sessions on Adobe Experience Manager Assets on August 20th at our Skill Exchange.
Register Now

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

unable to block http options with AEM felix configuration

Avatar

Level 4
Level 4
10/22/20 10:48:42 AM

Even after adding OPTIONS method to filter methods in both Adobe Granite CSRF filter and Apache sling referrer filter, the CURL requests are still responding with 200 response.

 

curl -i -X OPTIONS http://<host>:<port>/content/*****/en/****/home.html
HTTP/1.1 200 OK
Date: Thu, 22 Oct 2020 17:42:30 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0

 

is there is any other config which needs to be done to to stop HTTP OPTIONS on the direct server host:port URL, this has been raised a security vulnerability, please help us here

@Vijayalakshmi_S @Jörg_Hoh @vanegi @arunpatidar 

Views

1.5K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
10/29/20 1:25:41 PM
In response to arunpatidar
Not sure, what could be the issueIf, if you want to block the request, create your own filter and block the request based on this 2 urls.
Arun Patidar

AEM LinksLinkedIn

View solution in original post

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Employee Advisor
Employee Advisor
10/22/20 12:20:36 PM

Hi,

 

AFAIK the security checklist advises you to always have a dispatcher in front an AEM instance. And then configure this on the dispatcher/webserver. And in that case no one will have direct access to the AEM instance (except maybe admins).

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/23/20 7:57:04 AM
In response to Jörg_Hoh
Hi @Jörg_Hoh, we also know that this has to be blocked at apache level, but there is a security vulnerability that AEM HTTP OPTIONS opened, so we have to fix the issue

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
10/25/20 11:22:59 AM

Please check if this helps

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-block-http-options-...

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem6-4-1-block-options-met...

 

Arun Patidar

AEM LinksLinkedIn

Views

1.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/27/20 4:37:51 AM
In response to arunpatidar
thanks for the reply, even after adding the method to apache sling referrer filter, we are still facing the issue. it's strange that the local host is giving 401 for me as well in publish even without adding any configurations, really confused what should be next steps here. @arunpatidar

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
10/29/20 1:25:41 PM
In response to arunpatidar
Not sure, what could be the issueIf, if you want to block the request, create your own filter and block the request based on this 2 urls.
Arun Patidar

AEM LinksLinkedIn

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Add Custom Header in AEM Dispatcher Response Solved

Views

26

Likes

0

Replies

1
How to set default policy for XF template in AEM Solved

Views

58

Likes

0

Replies

2
Overwriting of PathFactory Packages by Project Pipeline in AEM Cloud Solved

Views

79

Likes

0

Replies

3
How to delete read-only access in AdobeLiveCycle Designer Version 6.1.0.20161021.1.926580

Views

41

Likes

0

Replies

0
Dynamic Participant Step assigning to admin instead of previous task completer

Views

86

Likes

0

Replies

2