We have a product called Veracode that is used to review our code for security leaks. It isn't typically run against an HTML/JS, but for this project, it's written largely in .NET with just a section of HTML/JS for a map.
Because the project is hosted on an application server, we set up a standard proxy configuration file. The software scan is generating several 'medium' level security risks, mostly related to cross site scripting, I think solely because we have this proxy configuration to reference the map services.
I think this is all fine, because the whole point of the proxy is to allow the application and AGS server to communicate properly, but that's not official enough to satisfy our customers. "Because ESRI provides this as a sample" apparently doesn't cut it.
I don't know exactly what I"m looking for here, but I need something maybe more technical that explains that what the proxy configuration is doing is limited in scope in what traffic is allowed and not a gaping hole into our network?