Open swicken-dotcms opened 1 year ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Reproduced in demo
@swicken-dotcms Could this be covered by adding a dotCMS ruleset?
@swicken-dotcms Could this be covered by adding a dotCMS ruleset?
No, @mbiuki. This configuration needs to be set per API route and is controlled by us. It should not be an expectation on the end user. Each route should respond with a header specifying the verbs it accepts as part of the standard REST protocol.
I'd suggest we work out the responses alongside with adding verbs to our swagger file. Not sure if there is a tool to automatically generate one from the other. https://demo.dotcms.com/api/openapi.json
I think it would start from the above - to identify and add accepted HTTP methods for each endpoint in our swagger file.
This could potentially be covered by WAF to disallow prohibited verbs or back-end if it does not accept a particular verb, back-end would just not support it. 405 most likely.
@nollymar - please review and possibly assign it to the intern to take it forward with respect to creating respective verbs for each query, thanks.
Scout team to discuss internally, tnx.
@nollymar - can you please give us an update. I believe this would have been taken forward with newly hired intern?
Is your feature request related to a problem? Please describe.
Currently every request to an API generates the following response header
access-control-allow-methods: GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH
While there is currently no known exploit in dotCMS related to this, security best practices dictate that we should only respond with the HTTP Verbs we accept on any given endpoint.Related Ticket: https://dotcms.zendesk.com/agent/tickets/108479
Describe the solution you'd like
For all of our inbuilt APIs, these headers should be generated based on the HTTP Verbs that are accepted in the resource.
For the scripting API, we should scan the directory for each path to determine the HTTP Verbs that are accepted.