Hello,
I have a client who requires the website security to comply with the OWASP Top 10 standards. To address this, I conducted a scan of my websites (all made with Webflow) using the ZAP scanning tool. The scan identified one issue that needs to be fixed:
The Cloud Metadata Attack exploits a misconfigured NGINX server to access instance metadata maintained by cloud service providers such as AWS, GCP, and Azure. These providers serve metadata through an internal, unroutable IP address ‘169.254.169.254’. If the NGINX server is misconfigured, it can expose this metadata by accepting the IP address in the Host header field.
Could anyone please advise if it’s possible to fix this issue?
Thanks!