Illegal HTTP status in response with CDN

Hi Poka,

I understand that you use ASM functionnality "Allowed Response Status Codes".

If a response contains a response status code from 4xx to 5xx that is not on the list, the system issues the violation, Illegal HTTP status in response. If you configured the security policy to block this violation, the system blocks the response with a specific message.

This functionnality allow you to avoid sensitive info leak...

What do you mean about "The CDN team is recommending to relax these rules"? did the CDN team whant that you don't use "Allowed Response Status Codes"? and let unwanted stats code to be released?

In all case, the priority is to secure its application given the attacks that continue to grow. because if you relax these rules (so show status code error and body) you will fall in Information Disclosure Issues. I'am agree that these information (These type of issues) are not exploitable in most cases, but are considered as web application security issues because they allows attackers to gather information which can be used later in the attack lifecycle, in order to achieve more than they could if they didn’t get access to such information.

the question to ask is what is the benefit of relaxing these errors for the CDN. especially that such kind of error are rare and not frequent

regards