Cdn-cgi directory transport security not enforced

Hello I am having Insecure Transport on cdn-cgi directory

I am having isues with the cdn-cgi/ because the Strict transport security is not enforced
Host: https:/my site
Path: /cdn-cgi/styles/cf.errors.css
Despite having no apps and I also set the WAF to HTTPS only
Can you help ?

What exactly is the issue?

Hello Sandro
My client is running the Burb SCAN and unfortunately it shows that
on my web site that all returns from the directory cdn-cgi have transport security not enforced.
I have set the HTTPS but I have no action for the cdn-cgi directory
Any idea on how I can assure that all responses will be secure ?

/cdn-cgi is a proxy specific path and won’t serve your site’s content content. It is served under your domain, so if you already set HSTS requests for that path will be also subject to it but domain-specific settings won’t apply to it. I am afraid that’s not something you can change but can ignore those warnings as that path, as mentioned, is outside of your overall site.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Hello
I am trying to block access to the /cdn-cgi/ directory with a WAF rule
(http.request.uri.path contains “/cdn-cgi/”) but to no avail
Anyone can help ?

I doubt you can block access to that, as it’s part of the underlying Cloudflare system.

Why are you trying to block access to it?

It simply because the BURP Suite SCANNERS for security shows it as a vulnerablity.

Can you share what the detail is of the Vulnerability?

1 Like

Strict transport security not enforced
2
https://Mysite/cdn-cgi/bm/cv/669835187/api.js
https://Mysite/cdn-cgi/challenge-platform/h/b/scripts/invisible.js

You already raised this issue. I’ll merge this in case you forgot your previous thread.

1 Like