This isn't a "security vs usability" trade-off as the author implies. This has nothing to do with security at all.

/etc/hosts

See, HN didn't complain. Does this mean I have hacked into the site? No, Substack (or Cloudflare, wherever the problem is) is run by people who have no idea how text input works.

It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.

For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:

  ../../apache/logs/error.log
  AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
  /../..//../..//../..//../winnt/system32/netstat.exe?-a

We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.

This is like banning quotes from your website to 'solve' SQL injection...

> is run by people who have no idea how text input works

That's a very uncharitable view. It's far more likely that they are simply using some WAF with sane defaults and never caught this. They'll fix it and move on.

My thought exactly - this isn't an example of balance between "security vs usability" - this is just wrong behaviour.

It's a text string that is frequently associated with attacks and vulnerabilities. In general you want your WAF to block those things. This is indeed the point of a WAF. Except you also don't want it to get in the way of normal functionality (too much). That is what the security vs usability trade off is.

This particular rule is obviously off. I suspect it wasn't intended to apply to the POST payload of user content. Perhaps just URL parameters.

On a big enough website, users are doing weird stuff all the time and it can be tricky to write rules that stop the traffic you don't want while allowing every oddball legitimate request.