Remove via-scanner DAST header as it can cause authentication to fail
Problem to solve
The Via-Scanner
header added as part of #327564 (closed) can DAST authentication to fail when scanning a website that accesses external domains. This occurs when the browser rejects the request due to violation of a CORS policy.
Error in browser console
Access to XMLHttpRequest at '[url with external domain]' from origin '[current url]'
has been blocked by CORS policy: Request header field via-scanner is not allowed by
Access-Control-Allow-Headers in preflight response.
Proposal
The Via-Scanner
header should be optionally added using the CI/CD variable DAST-ADVERTISE-SCAN
.
Intended users
What is the type of buyer?
Reported by Ultimate customer in this internal ticket
Edited by Kate Grechishkina