core Have APIs properly generate Access-Control-Allow-Methods headers based on the HTTP Verbs they accept

Have APIs properly generate Access-Control-Allow-Methods headers based on the HTTP Verbs they accept

Open swicken-dotcms opened this issue 2 years ago • 0 comments

Is your feature request related to a problem? Please describe.

Currently every request to an API generates the following response header access-control-allow-methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH While there is currently no known exploit in dotCMS related to this, security best practices dictate that we should only respond with the HTTP Verbs we accept on any given endpoint.

Related Ticket: https://dotcms.zendesk.com/agent/tickets/108479

Describe the solution you'd like

For all of our inbuilt APIs, these headers should be generated based on the HTTP Verbs that are accepted in the resource.

For the scripting API, we should scan the directory for each path to determine the HTTP Verbs that are accepted.

Sep 15 '22 19:09 swicken-dotcms

core core copied to clipboard

Have APIs properly generate Access-Control-Allow-Methods headers based on the HTTP Verbs they accept

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

core
core copied to clipboard