The Azure Application Gateway WAF V2 is vulnerable to Sensitive Data Exposure, because it responds with the Server header equal to Microsoft-Azure-Application-Gateway/v2 if it is invoked with the http TRACE method and Max-Forwards header = 0. This information helps a potential attacker to determine
- A list of targets for an attack against the application.
- Potential vulnerabilities on the proxy servers that service the application.
- The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated.
as described in OWASP.
Is there any way to avoid this and thus be owasp compliant?