Firebase Hosting PCI Compliance

Question

We have built a web application platform considering the Firebase as the centre of the technology and at this point when we need to submit the PCI DSS our system is failing the test, because it is all built on Firebase. Please tell me that firebase hosting is PCI compliant one. My report passes all the test except the reverse proxy test. Can this be solved or we need to spend time and money to rebuild / move the entire infrastructure somewhere else. Below is the issue reported by ASV.

so basically for being pci compliant, we should have a pci compliant reverse proxy and if google proves that the reverse proxy (varnish), they can set it report a compliant one.

can any one please help us?

score 0 · Answer 1 · answered May 01 '19 at 00:09

0

How about just nuking the x-varnish, via and server headers so that varnish can't be trivially detected?

in your /etc/varnish/default.vcl:

sub vcl_deliver {
  unset resp.http.via;
  unset resp.http.server;
  unset resp.http.x-varnish;
}

answered May 01 '19 at 00:09

Guillaume Quintard

589
2
9

i am sure firebase team can do so ... as a consumer of firebase hosting I don't have access to such modification. – Anant Anand Gupta May 03 '19 at 19:04

Firebase Hosting PCI Compliance

1 Answers1