Hi Mantas, I assume you are referring to CORS as described here (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS). Does the Qpid web console actually do any cross-origin requests that would require a pre-flight request (https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request)?
I didn’t think it did, but I certainly could be wrong. -- Tom From: Mantas Gridinas <mgridi...@gmail.com> Reply-To: "users@qpid.apache.org" <users@qpid.apache.org> Date: Thursday, July 15, 2021 at 10:50 AM To: "users@qpid.apache.org" <users@qpid.apache.org> Subject: Re: [Broker-J] Http management interface should ignore OPTIONS method Sadly options request is necessary for browsers to assert whether or not the result of a request should be exposed to caller, isn't it? On Thu, Jul 15, 2021, 17:47 Tom Jordahl <tjord...@adobe.com.invalid<mailto:tjord...@adobe.com.invalid>> wrote: Hello Devs, In our environment we run security scanning tools. They flag any HTTP port that supports the OPTIONS method as a problem: “Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.” I don’t see Qpid having any need to support this method, so I have filed a bug with a patch that blocks the OPTIONS method: https://issues.apache.org/jira/browse/QPID-8552. I would love to have this patch in the next 8.x release of Broker-J. Thoughts? -- Tom
