I use https://detectify.com/ to check my website of any possible security issue, the site gives me that /.well-known /acme-challenge/ could be an XSS so that an attacker can inject JavaScript into the victim’s browsers, which will execute under the vulnerable domain. the website show an example wit…

Is .well-known/acme-challenge/ an XSS risk

tdelmas August 3, 2018, 4:09pm 7

The Header X-Content-Type-Options: nosniff should fix it for (almost) all browsers: X-Content-Type-Options - HTTP | MDN

2 Likes

Topic		Replies	Views
XSS via ACME implementations Issuance Tech	6	2272	October 16, 2018
.well-known/acme-challenge/ should be removed? Help	4	636	August 19, 2022
.well-known - challenge3 failed - Is this a JS issue? Help	4	2495	April 16, 2017
Well-known/acme-challenge/test gives 404 Help	13	1647	February 28, 2019
Googlebot just found this url Help	6	744	May 17, 2020