Hello and welcome to the Thursday, December 4th, 2025 edition of the Sands Internet StormSters Stormcast.

My name is Johannes Ulrich, recording today from Dallas, Texas.

And this episode is brought you by the sands.edu credit certificate program in cloud

security. In diaries today, I wrote about some observations from our web application honeypots.

Lately, we have seen a number of requests that included various headers that looked like these requests went through

CDNs like Cloudflare, Fastly, Akamai and others. This could have a number of different reasons.

My first guess is that there's an attempt to bypass CDNs.

Many websites are behind CDNs like Loudflare Fastly and rely on them for some basic filtering and also denial of service protection.

The problem is that often it's not too terribly difficult to figure out the actual IP address that a website is being hosted on,

and then an attacker may connect to the web server directly without going through the CDN.

Now, some web applications protect themselves from this bypass by checking if the requests include specific headers that are being added

by the CDN. Now, if you're doing this right, there are specific headers that you're supposed to use

that contain like random values that the attacker isn't supposed to be able to predict, and that way

you can reject some of these bypass requests.

But my assumption at this point is that at least to some extent, well, attackers hope that

you're not checking all that carefully.

Also, there is a chance that some of these requests actually went through the CDN and

that, for example, some of these headers are implicating that a request

went through Cloudflare's warp system, which is kind of like a VPN and could be used

by an attacker to actually obfuscate the origin of some of these attacks.

And if you are running a website that takes advantage of React, a particular React

server components, well, I have some bad news for you. There is a critical vulnerability that

...