ÃÛ¶¹ÊÓƵ

Documentation

403 Forbidden error for AEM GraphQL endpoints routed through Edge Delivery Service

Last update: Thu Jul 10 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Making POST requests to native GraphQL endpoints in AEM as a Cloud Service - Sites routed via ÃÛ¶¹ÊÓƵ Edge Delivery Service results in a  403 Forbidden error. The resolution involves updating the Referrer OSGi configuration to explicitly allow GraphQL paths, trusted host patterns, and HTTP methods.

Description description

Environment

  • ÃÛ¶¹ÊÓƵ Experience Manager (AEM) as a Cloud Service - Sites
  • ÃÛ¶¹ÊÓƵ Edge Delivery Service (EDS)

Issue/Symptoms

GraphQL POST requests succeed under the following conditions:

  • When accessing the publish domain directly using tools like Postman or curl.
  • When requests originate from a local frontend development environment.

However, when routed through ÃÛ¶¹ÊÓƵ Edge Delivery Service, the same requests fail with a 403 Forbidden  response. Observations include:

  • OPTIONS calls return 200 OK.
  • POST calls return 403 Forbidden.

Configurations verified

The following configurations were confirmed to be correctly set:

  1. Dispatcher filters allow GET, POST, and OPTIONS methods for the path /content/cq:graphql/.*.
  2. OSGi configurations for ReferrerFilter, CORSFilter, and CSRFPreventionFilter are set to allow GraphQL requests.
  3. Required headers (Origin, Host, Content-Type) are present and not stripped.

Resolution resolution

To resolve this issue, update the Referrer OSGi configuration (org.apache.sling.security.impl.ReferrerFilter.cfg.json) with the following settings:

  1. Add paths that should be allowed (allow.paths):

    • /content/cq:graphql/.*

  2. Configure allowed hosts using regular expressions to match domains (allow.hosts.regexp):

    • https://.*\.adobe\.com(:443)?
    • https://.*\.adobe\.net(:443)?
    • https://.*\.workfront\.com(:443)?
    • https://.*\.workfront-dev\.com(:443)?
    • https://.*\.dev\.workfront\.tech(:443)?
    • https://.*\.aem\.live(:443)?

  3. Enable filtering by setting filter.enabledÌý³Ù´Ç true.

  4. Allow empty referrers by setting allow.emptyÌý³Ù´Ç true.

  5. Specify allowed HTTP methods:

    • GET
    • POST
    • OPTIONS

Sample Referrer OSGi Configuration:

{
  "allow.paths": [
    "/content/cq:graphql/.*",

  ] ,
  "allow.hosts.regexp": [
    "https://.*\\.adobe\\.com(:443)?",
    "https://.*\\.adobe\\.net(:443)?",
    "https://.*\\.workfront\\.com(:443)?",
    "https://.*\\.workfront-dev\\.com(:443)?",
    "https://.*\\.dev\\.workfront\\.tech(:443)?",
    "https://.*\\.aem\\.live(:443)?"
  ] ,
  "filter.enabled": true,
  "allow.empty": true,
  "allow.methods": [ "GET", "POST", "OPTIONS"]
}

For additional context, refer to this community discussion .

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f