We could extend this the other way to, security research tools shouldn't assert vulnerability based solely on HTTP status code. I think most SPAs require a setup like the one mentioned in the article.
The bain of my existence here working with customers. See they like doing dumb things like having unified Nessus policies that alert if you have hyper threading on, so they disable HT on all their servers, including ones that don't run untrusted code. Then at the same time they complain that their expenses are nearly 50% higher than expected in execution costs on my highly multithreaded app.
Reasonable policy and security don't really work well because there's not enough people trained in making this work properly across workloads in the enterprise .
The bain of my existence here working with customers. See they like doing dumb things like having unified Nessus policies that alert if you have hyper threading on, so they disable HT on all their servers, including ones that don't run untrusted code. Then at the same time they complain that their expenses are nearly 50% higher than expected in execution costs on my highly multithreaded app.
Reasonable policy and security don't really work well because there's not enough people trained in making this work properly across workloads in the enterprise .