Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
586 questions
How to fix Proxy Disclosure Using CDN Frontend ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 12%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Mosa REMBALA
0
Reputation points
Hi Team,
I need your help for these points to fix Proxy Disclosure, so my questions are how to :
1- Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.
2- Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).
3- Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.
4- Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.
This is a table specifying theneeds:
Evidence
Thanks for your feedback.
{count} votes
-
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee2023-01-25T06:19:51.9366667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to avoid Proxy disclosure.
- May I know if you are using Azure CDN or Azure Front Door?
- What is the backend service? Is it an IIS or AppService or a custom web server?
Cheers,
Kapil
-
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee
2023-01-30T04:33:12.2+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
Mosa REMBALA 0 Reputation points
2023-02-01T13:20:17.03+00:00 @kapil
Thanks for your feedback.- May I know if you are using Azure CDN or Azure Front Door? == We use Azure CDN
- What is the backend service? Is it an IIS or AppService or a custom web server? == Blob Static Website
-
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee
2023-02-03T11:05:09.93+00:00 I understand the website you have shared is listing the methods TRACE, OPTIONS and TRACK methods can be used for a potential attack.
However, I am not able to reproduce this using POSTMAN from my end.
- Can you please test the three HTTP verbs against your CDN endPoint using POSTMAN?
- And share the screenshot or HTTP Status returned for each?
Also, what is the CDN you are using? Microsoft Provided CDN or a different one?
Cheers,
Kapil
-
KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee
2023-02-06T04:15:21.8766667+00:00 Can you please update us if the action plan provided was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
Sign in to comment