We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
is /.well-known/acme-challenge/ an xss risk
is /.well-known/acme-challenge/ an xss risk
Hi,
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
Re: is /.well-known/acme-challenge/ an xss risk
this is a false positive, the access to this directory is limited to plain text only.