We use Security Metrics for our PCI compliance scans. Haven't had any issues in the past but our most recent scan said we failed due to "HTTP Reverse Proxy Detection". I'm guessing this has to do with either static assets or the way heroku routes behind the scenes. Either way I'm not really sure where to go. Did some searching and I can't find anything. Heroku support has been useless.
We are using Rails 4 on Ruby 2. Below is the entire reported errors from Security Metrics. Any help would be appreciated.
TCP 443 https 5.8
Description: HTTP Reverse Proxy Detection
Synopsis: A transparent or reverse HTTP proxy is running on this port.
Impact: This web server is reachable through a reverse HTTP proxy.
Data Received: The GET method revealed those proxies on the way to this web server : HTTP/1.1 vegur
Resolution: n/a
Risk Factor: Medium/ CVSS2 Base Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE: CVE-2004-2320 Additional CVEs: CVE-2007-3008 CVE-2005-3498 CVE-2005-3398TCP 80 http 5.8
Description: HTTP Reverse Proxy Detection
Synopsis: A transparent or reverse HTTP proxy is running on this port.
Impact: This web server is reachable through a reverse HTTP proxy.
Data Received: The GET method revealed those proxies on the way to this web server : HTTP/1.1 vegur
Resolution: n/a
Risk Factor: Medium/ CVSS2 Base Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE: CVE-2004-2320 Additional CVEs: CVE-2007-3008 CVE-2005-3498 CVE-2005-3398
Best Answer
Please read the referenced CVE bulletins.
The risk basically boils down to: "the HTTP TRACE method is enabled".
source: CERT
To resolve that you simply need to disable the HTTP TRACE method.
For Heroku see for instance: https://stackoverflow.com/questions/17473760/disabled-http-methods-on-heroku