is /.well-known/acme-challenge/ an xss risk
is /.well-known/acme-challenge/ an xss risk
Hi,
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
Re: is /.well-known/acme-challenge/ an xss risk
this is a false positive, the access to this directory is limited to plain text only.