OWASP Proxy Disclosure [40025] - Cloudflare proxy

1

Hello,

I’m undergoing a CASA security assessment and the dynamic scanning with ZAP returns a OWASP Proxy Disclosure [40025] failure because of, to my best understanding, the server: cloudflare header returned with every response in applications hosted on render (see below).

Unfortunately, this fails the assessment. While I understand revealing that a webapp is hosted on cloudflare does not really increase any security risk (you could find that out via an IP lookup easily), is there a way to disable/remove that header so that my app could pass the security assessment?

### OWASP Proxy Disclosure [40025]

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine 
 - A list of targets for an attack against the application.
 - Potential vulnerabilities on the proxy servers that service the application.
 - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. 

* URL: https://www.<redacted>
  * Method: `GET`
  * Parameter: ``
  * Attack: `TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.`
  * Evidence: ``
  * Other Info: `Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: 
- cloudflare
The following web/application server has been identified: 
- cloudflare
`

Instances: 1

### Solution

Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.
Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).
Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.
Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.

➜  curl -I -X HEAD https://render.com/
HTTP/2 200
date: Wed, 20 Sep 2023 12:20:00 GMT
....
server: cloudflare

NB: I have disabled TRACE, TRACK and OPTIONS http methods at the application level, but that does not seem to be sufficient.

2

Hi there,

This isn’t possible to change at all, https://community.cloudflare.com/t/can-we-hide-cloudfare-server-name-in-http-response-header/317141

Regards,

John B
Render Support, UTC+1 :uk:

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.