Hello all,
I’m trying to pass a Cloud Application Security Assessment (CASA). tier 2 Audit. I’ve run the sefl-scan and get several similar security failures for all page requests:
<desc><p>1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine</p><p>- A list of targets for an attack against the application.</p><p> - Potential vulnerabilities on the proxy servers that service the application.</p><p> - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.</p></desc>
<instance>
<uri>https://www.jobbox.cc</uri>
<method>GET</method>
<param/>
<attack>TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.</attack>
<evidence/>
<otherinfo>Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server: - Vercel The following web/application server has been identified: - Vercel </otherinfo>
</instance>
Further down it says
<p>Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.</p>
The fix seems to be removing or changing the Server response header so that it doesn’t identify Vercel. I tried several ways to do this including updated the vercel.json file, changing the next.config.mjs file, and adding custom code in middleware.js to adjust the header.
Does anyone have any suggestions on how to change the Server header response?
Project information
Deployment URL: https://www.jobbox.cc
Environment (local, preview, production): production
Project Framework: nextjs 14
Build Settings:
Framework Preset:
Build Command (if not default):
Output Directory (if not default):
Install Command (if not default):
Node/Runtime Version:
Package Manager:
Relevant Packages: