web application firewalld (WAF) 功能

【web application firewalld (WAF) 功能】亦余心之所善兮,虽九死其犹未悔。这篇文章主要讲述web application firewalld (WAF) 功能相关的知识,希望能为你提供帮助。
1、应用服务级别的安全考虑 引入web安全中的十大安全方向: OWASP: 开源web应用安全项目。Open Web Application Security Project 十大安全问题: SQL 注入、失效的身份认证和会话管理、跨站脚本(xss)、失效的访问控制、安全配置错误、 敏感信息泄露、攻击检测与防护不足、跨站请求伪造(CSRF)、使用含有已知漏洞的组件、未受保护的API 2、应用级别安全选择 对比分析当下主流安全插件 naxsi、modlibsecurity 3、测试应用 4、数据分析 5、功能性用途: 为了解决 top 10 问题   6、加载规则 ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置 https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/   Add Include directives in the main NGINX WAF configuration file (/etc/nginx/modsec/main.conf, created in Step 4 of Protecting the Demo Web Application) to read in the CRS configuration and rules. Comment out any other rules that might already exist in the file, such as the sample SecRule directive created in that section.   # Include the recommended configuration Include /etc/nginx/modsec/modsecurity.conf # OWASP CRS v3 rules Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf   https://github.com/SpiderLabs/ModSecurity-nginx#usage https://github.com/SpiderLabs/ModSecurity/wiki#secremoterulesfailaction     官方网站的解释: https://modsecurity.org/crs/

web application firewalld (WAF) 功能

文章图片
 

    推荐阅读