Remove via-scanner DAST header as it can cause authentication to fail

Problem to solve

The Via-Scanner header added as part of #327564 (closed) can DAST authentication to fail when scanning a website that accesses external domains. This occurs when the browser rejects the request due to violation of a CORS policy.

Error in browser console

Access to XMLHttpRequest at '[url with external domain]' from origin '[current url]' 
has been blocked by CORS policy: Request header field via-scanner is not allowed by 
Access-Control-Allow-Headers in preflight response.

Proposal

The Via-Scanner header should be optionally added using the CI/CD variable DAST-ADVERTISE-SCAN.

Intended users

Sasha (Software Developer)
Sam (Security Analyst)

What is the type of buyer?

Ultimate

Reported by Ultimate customer in this internal ticket

Edited Jul 01, 2021 by Kate Grechishkina