Hi, @ftp.
Thank you for reaching out!
Shopify uses a Rails tech stack, and does not leverage a Common Gateway Interface implementation. It's possible that whatever scanner is being used is attempting to check for CGI Scripts by sending a web request, but since Rails is sending a response, the tool is detecting a false positive since it received a response from the server.
By default the request URL routes accept an optional extension format parameter e.g. https://shopify.com/index(.format).
This means that the service tries to infer the appropriate response type per the requested .format in the URL and otherwise fallback to another type of response.
In the referenced request https://www.salt-watersandals.co.uk/account/register.cgi, the text/html response is served since .cgi isn't an extension type the server handles. The response will still return a HTTP 200.
To be clear, there is no .cgi response type the server handles, it returns the default HTML content which is the equivalent of https://www.salt-watersandals.co.uk/account/register.
Emily | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
