Information about /.netlify/verification/

We are seeing potentially malicious users hit this route. We don’t have this defined in our codebase and can’t find it in any installed packages. When we access it ourselves it triggers a download of a file containing strange characters.

Is there any information about where this is coming from, what it is supposed to do, and if this is potentially a vulnerability?

Hey there, @akam9865 :wave:

Thanks so much for reaching out about this. When you are saying that you see potentially malicious user hit this route, can you explain a bit further? Do you have any data or examples you can share? I want to make sure I am able to share as many details as possible with the folks who will investigate this.

Thanks!

Hi Hillary,

We see requests being blocked in cloudflare with User agent: node-fetch and a path like: /.netlify/verification/{long id}. Potentially malicious because they are getting blocked by cloudflare and because we aren’t aware of this route and are not sure what the file being downloaded does, it appears to be some scrambled non-english characters. We don’t really have more information which is why we’re looking for any sources of this route.

Hi @akam9865,

Could you share the site name?

Hi, @akam9865. That path is used internally for site verification purposes. It is a challenge/response mechanism so we can confirm if a proxied domain is using Netlify as an origin or not.

The data being exchanged is both random and meaningless. There isn’t anything embedded or encoded. The challenge response is randomly generated. The data is unique to each challenge/response but otherwise meaningless. There is no security risk to your site by allowing that traffic.

If you block those requests, however, there may be things at Netlify which won’t work as a result. In other words, if you block those requests it will mean our check for “is this really Netlify?” will fail when in fact you are using Netlify. This is why we recommend not blocking those requests.

2 Likes