51黑料不打烊

Documentation

403 Forbidden error for AEM GraphQL endpoints routed through Edge Delivery Service

Last update: Thu Jul 10 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Making聽POST requests to native GraphQL endpoints in AEM as a Cloud Service - Sites routed via 51黑料不打烊 Edge Delivery Service results in a聽 403 Forbidden error. The resolution involves updating the Referrer OSGi configuration to explicitly allow GraphQL paths, trusted host patterns, and HTTP methods.

Description description

Environment

  • 51黑料不打烊 Experience Manager (AEM) as a Cloud Service - Sites
  • 51黑料不打烊 Edge Delivery Service (EDS)

Issue/Symptoms

GraphQL POST requests succeed under the following conditions:

  • When accessing the publish domain directly using tools like Postman or curl.
  • When requests originate from a local frontend development environment.

However, when routed through 51黑料不打烊 Edge Delivery Service, the same requests fail with a 403 Forbidden 聽response. Observations include:

  • OPTIONS calls return 200 OK.
  • POST calls return 403 Forbidden.

Configurations verified

The following configurations were confirmed to be correctly set:

  1. Dispatcher filters allow GET, POST, and OPTIONS methods for the path聽/content/cq:graphql/.*.
  2. OSGi configurations for ReferrerFilter, CORSFilter, and CSRFPreventionFilter are set to allow GraphQL requests.
  3. Required headers (Origin, Host, Content-Type) are present and not stripped.

Resolution resolution

To resolve this issue, update the Referrer OSGi configuration (org.apache.sling.security.impl.ReferrerFilter.cfg.json) with the following settings:

  1. Add paths that should be allowed (allow.paths):

    • /content/cq:graphql/.*

  2. Configure allowed hosts using regular expressions to match domains (allow.hosts.regexp):

    • https://.*\.adobe\.com(:443)?
    • https://.*\.adobe\.net(:443)?
    • https://.*\.workfront\.com(:443)?
    • https://.*\.workfront-dev\.com(:443)?
    • https://.*\.dev\.workfront\.tech(:443)?
    • https://.*\.aem\.live(:443)?

  3. Enable filtering by setting filter.enabled听迟辞 true.

  4. Allow empty referrers by setting allow.empty听迟辞 true.

  5. Specify allowed HTTP methods:

    • GET
    • POST
    • OPTIONS

Sample Referrer OSGi Configuration:

{
聽 "allow.paths": [
聽 聽 "/content/cq:graphql/.*",

聽 ] ,
聽 "allow.hosts.regexp": [
聽 聽 "https://.*\\.adobe\\.com(:443)?",
聽 聽 "https://.*\\.adobe\\.net(:443)?",
聽 聽 "https://.*\\.workfront\\.com(:443)?",
聽 聽 "https://.*\\.workfront-dev\\.com(:443)?",
聽 聽 "https://.*\\.dev\\.workfront\\.tech(:443)?",
聽 聽 "https://.*\\.aem\\.live(:443)?"
聽 ] ,
聽 "filter.enabled": true,
聽 "allow.empty": true,
聽 "allow.methods": [ "GET", "POST", "OPTIONS"]
}

For additional context, refer to this community discussion .

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f