ModSecurity WAF rules for common web attack patterns

4460 views

                  SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
  "id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"

SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectXSS" \
  "id:1002,phase:2,deny,status:403,log,msg:'Potential XSS detected'"

A WAF is not a license to ignore secure coding, but it can still buy useful time and visibility. I tune rules for known attack classes and watch false positives aggressively during rollout. Managed poorly, a WAF becomes operational pain; managed well, it becomes a meaningful friction layer.

Kai Nakamura

More from Kai Nakamura

ModSecurity WAF rules for common web attack patterns

0 Comments

More from Kai Nakamura