Why is my PCI compliance scan complaining about a reverse proxy?


This check is primarily concerned with a vulnerability involving requests making use of the TRACE HTTP method. As you can see by inspecting the CVEs mentioned, each one deals with some form of proxy operating in front of an application that accepts TRACE method requests by default and can lead to information leaks depending upon the exact situation.

In Heroku's case, the proxy in place is part of our routing layer and is a transparent non-caching proxy. That means that the request is seamlessly passed through to your application with the response being left entirely to your application. The Heroku router has been implemented to closely follow the HTTP RFCs that exist. This means it supports all HTTP methods and includes a Via header as described in HTTP RFCs. As such, it is up to individual applications to block or disallow requests using the TRACE method.

Even after doing so, you may still get complaints from PCI scanning services due to this issue. That is generally due to them being overly broad in this respect. So long as your application is disallowing TRACE HTTP requests and you're able to demonstrate that, then you should be in a good position to get that failing check waived.