PCI-DSS 4.0 6.4.2
Controls to protect applications
UnveilScan findings mapped to this control
The scanner emits 4 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
web.http_method_delete
⏱ 15 min
WEB — Http method delete
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
web.http_method_put
⏱ 30 min
WEB — Http method put
Risk if ignored: PUT accepted on the root path typically allows arbitrary file upload — attacker-controlled content served from your origin.
security reputational
Also maps to 2 other controls
web.rate_limit_headers_missing
⏱ 15 min
WEB — Rate limit headers missing
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.wp_xmlrpc_enabled
⏱ 15 min
WEB — Wp xmlrpc enabled
Risk if ignored: ~1000 password attempts per HTTP request via system.multicall. Also weaponisable for pingback DDoS against third parties.
security reputational