CASA Security Review — Executive Summary
App: one-scan-to-rule-them-all · Target: agent.consul.so · Assessor: TAC Security (ESOF AppSec ADA) · Date: Feb 23–24, 2026 · Cyber Score: 9.4/10
Bottom Line
You pass. Google's CASA Tier 2 only requires remediation of Critical and High findings. Your report has zero of either. The remaining Low and Info items are configuration hardening suggestions and scanner noise — not security vulnerabilities.
What Was Found
| Severity | Count | Blocking? | Status |
|---|---|---|---|
| Critical | 0 | Yes | ✅ Clear |
| High | 0 | Yes | ✅ Clear |
| Medium | 0 | Yes (revalidation) | ✅ Clear |
| Low | 2 | No | ⚠️ Open |
| Info | 7 | No | ⚠️ 6 Open, 1 Patched |
The 2 Low Findings
-
Cross-Domain CORS Misconfiguration —
Access-Control-Allow-Origin: *is set on static assets. Fix: restrict the header to your own domain in Vercel config. -
Proxy Disclosure — Vercel is fingerprinted via TRACE/OPTIONS methods. Fix: disable TRACE method and suppress server version headers.
The 7 Info Findings
| Finding | Real Risk | Action |
|---|---|---|
| X-Powered-By Header Leak | None | ✅ Already patched |
| Missing COOP Header | Minimal | Add Cross-Origin-Opener-Policy: same-origin header |
| Suspicious Comments | None | Scanner false positives on minified JS (e.g., "SELECT", "QUERY" in React/Next.js code) |
| Modern Web Application | None | Scanner simply detected a SPA — not a vulnerability |
| Retrieved from Cache | None | Vercel CDN behavior — verify sensitive routes use no-store |
| Storable Non-Cacheable Content | None | Informational — static assets cached normally |
| User Agent Fuzzer | None | Scanner tested different user agents — no issues found |
Why the Report Says "Fix Everything" but Google Doesn't
- TAC Security's report states all vulnerabilities must be patched for Tier 2 — this is their internal policy.
- Google's official FAQ states you need to remediate "critical or high findings" only.
- ADA's Tier 2 criteria blocks only on CWEs with "high likelihood of exploit" — none of your findings qualify.
Recommended Next Steps
- Fix CORS + Proxy Disclosure — both are simple Vercel header configs and good practice regardless.
- Add COOP header — one-line addition to
next.config.jsorvercel.json. - Dispute the rest — submit "not applicable" responses to TAC Security for the scanner-noise Info findings. Typical turnaround: 1–3 business days.
- Request your LOV — once TAC marks findings as resolved/disputed, they issue the Letter of Validation.
- Submit LOV to Google — verification typically granted within 5–6 business days.
SAQ (Self-Assessment Questionnaire)
All 54 OWASP ASVS-based requirements were answered "Yes — Applicable" with documented justifications. No gaps identified.
Assessment valid for 12 months. Annual revalidation required.