> We will look into adding corresponding changes into version 8.0.6. Thanks Alex, great to hear. We have to remediate this for our security people so getting this in the next release will be very helpful.
-- Tom From: Oleksandr Rudyy <oru...@gmail.com> Reply-To: "users@qpid.apache.org" <users@qpid.apache.org> Date: Monday, July 19, 2021 at 4:24 AM To: "users@qpid.apache.org" <users@qpid.apache.org> Subject: Re: [Broker-J] Http management interface should ignore OPTIONS method Hi Tom, The Qpid Broker-J supports configuring CORS settings to allow access to REST API from different origins. This can be done via HTTP management attributes (corsAllowOrigins,corsAllowMethods,corsAllowHeaders,corsAllowCredentials). Though, by default, the origin(s), allowed headers and methods are not set. Thus, it is actually safe to disable the OPTIONS method when no original related attribute is set. We will look into adding corresponding changes into version 8.0.6. Kind Regards, Alex On Thu, 15 Jul 2021 at 15:47, Tom Jordahl <tjord...@adobe.com.invalid<mailto:tjord...@adobe.com.invalid>> wrote: Hello Devs, In our environment we run security scanning tools. They flag any HTTP port that supports the OPTIONS method as a problem: “Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.” I don’t see Qpid having any need to support this method, so I have filed a bug with a patch that blocks the OPTIONS method: https://issues.apache.org/jira/browse/QPID-8552. I would love to have this patch in the next 8.x release of Broker-J. Thoughts? -- Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org<mailto:users-unsubscr...@qpid.apache.org> For additional commands, e-mail: users-h...@qpid.apache.org<mailto:users-h...@qpid.apache.org>
