Hi
We have a site. ( https://app.lazyapply.com ) and we have opted for CASA tier 2 verification, for that we have done DSAT testing on our application and found out that their is a proxy disclosure alert on attack ( TRACE, OPTIONS methods with ‘Max-Forwards’ header. TRACK method. )
So I request you to disable Trace / Track method for my site so that this vulnerability can be fixed.
We’ve responded to your ticket in the helpdesk.
I have the same problem as the example above. How can I solve the problem related to disable Trace / Track method?
This was the response in the helpdesk to which we never received a reply:
Please provide proof of vulnerability. Having TRACE and TRACK methods is not a vulnerability. Is there a proof of exploit?
Having those methods is required as they can be used by various websites, and also used in Netlify Functions. With that being said, if you run any further tests without getting a written permission from our end, it would lead to an account suspension.
Hi, we have the same issue. During the CASA tier 2 verification process, they pointed out that the server: Netlify header allows a potential attacker to know which platform we use, making the attack more specific.
We would be glad if you’d give us the option to remove or modify this header from TRACK/TRACE/OPTIONS requests.
Do you have an answer to the above?
Technically speaking, this is not a severe issue, and once we asked the CASA verification lab about this they resolved it as a false positive. So to answer your question: there is no known vuln.
That said, if this is an issue that is being flagged multiple times by automated scanners, maybe it should be addressed, in order to avoid frustration and unnecessary work.
We’d be happy to address this if a proof of exploit is presented. Without that, this is just theorotical.
Netlify is independently audited by 3rd party vendors and the proofs are published on trust.netlify.com (documents are accessible to Enteprise customers only). Thus, we’re faiirly confident that this is not a real issue or something that needs addressing. If this can be countered, I can make a case with the engineers to de-priorotise the other important things they’re working on and focus on this.