【web application firewalld (WAF) 功能】亦余心之所善兮,虽九死其犹未悔。这篇文章主要讲述web application firewalld (WAF) 功能相关的知识,希望能为你提供帮助。
1、应用服务级别的安全考虑
引入web安全中的十大安全方向:
OWASP: 开源web应用安全项目。Open Web Application Security Project
十大安全问题:
SQL 注入、失效的身份认证和会话管理、跨站脚本(xss)、失效的访问控制、安全配置错误、
敏感信息泄露、攻击检测与防护不足、跨站请求伪造(CSRF)、使用含有已知漏洞的组件、未受保护的API
2、应用级别安全选择
对比分析当下主流安全插件
naxsi、modlibsecurity
3、测试应用
4、数据分析
5、功能性用途:
为了解决 top 10 问题
6、加载规则
ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置
https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
Add Include directives in the main NGINX WAF configuration file (/etc/nginx/modsec/main.conf, created in Step 4 of Protecting the Demo Web Application) to read in the CRS configuration and rules. Comment out any other rules that might already exist in the file, such as the sample SecRule directive created in that section.
# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
https://github.com/SpiderLabs/ModSecurity-nginx#usage
https://github.com/SpiderLabs/ModSecurity/wiki#secremoterulesfailaction
官方网站的解释:
https://modsecurity.org/crs/
文章图片
推荐阅读
- 同花顺下载|同花顺app免费下载
- Mac环境下使用Appium Inspector进行元素定位
- Android app:transformNativeLibsWithStripDebugSymbolForDebug错误分析
- 伴生类和伴生对象(apply方法的实践)
- Android Studio中SVN的使用
- Android版数据结构与算法(二叉排序树)
- 映射器Mapping
- Merge array and hash in ruby if key appears in array
- app|甘草医生医护版下载