The Nmap scan results reveal that the application server (App01.example.com) has its HTTP (port 80) and HTTPS (port 443) ports open to the internet. The network architecture intends for all traffic to be filtered through the CDN/WAF. However, because the application server is directly accessible, an attacker can send requests to it without going through the WAF, effectively bypassing its security protections. This is a common misconfiguration where the origin server is not properly firewalled to accept connections only from the CDN/WAF's IP addresses.

The two most effective preventative measures address the vulnerability at different layers.

1. Network Layer: Restricting communication at the network level is the primary solution. This involves configuring firewall rules or network access control lists (ACLs) on the application server to only accept incoming traffic from the specific IP address ranges of the CDN/WAF. This ensures no other entity on the internet can connect directly.
2. Application Layer: Requiring a custom authentication header adds a second layer of defense. The CDN/WAF is configured to add a secret, custom HTTP header to all requests it forwards to the application server. The application server is then configured to reject any request that does not contain this specific header and value, preventing direct access.

Microsoft Azure Documentation. (2023). Restrict access to a specific Azure region. In Azure Front Door. Microsoft explicitly recommends using IP ACLing for backends to ensure traffic is routed exclusively through the Front Door service. "You can configure your backend to only accept traffic from Azure Front Door's backend IP address range and Azure's infrastructure services. ... This configuration ensures that your backend is only reachable through Azure Front Door."

Amazon Web Services (AWS) Documentation. (2024). Restricting access to an Amazon S3 origin. In Amazon CloudFront Developer Guide. AWS details two methods for securing an origin: using origin access control (OAC) and adding custom headers. The guide states, "You can require that users access your content through CloudFront URLs, not by using Amazon S3 URLs. ... Another way to restrict access to content at an origin is to add custom headers to the requests that CloudFront sends to your origin." (Section: Using custom headers to restrict access).

Chell, S., et al. (2020). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley. While the book itself is a commercial source, the principles it describes are foundational in cybersecurity academia. It discusses bypassing frontend proxies and WAFs by identifying the direct IP address of the backend server, a technique that is only possible if the backend server's firewall is misconfigured. The standard remediation is to ensure the backend only accepts connections from the trusted frontend proxy. (Chapter 9: Attacking Application Architecture).