Remix clone Hacker News

I love that having a web application firewall set to allow EVERYTHING passes the checkbox requirement ...

(I’m in the anti-WAF camp) That does stand to improve your posture by giving you the ability to quickly apply duct tape to mitigate an active mild denial of service attack. It’s not utterly useless.

▲

krferriter a day ago | parent | next [-]

Denial of service prevention and throttling of heavy users is a fine use, searching for a list of certain byte strings inside input fields and denying requests that contain them isn't.

▲

elevation a day ago | parent | prev [-]

Doesn't it also add latency to every request?

▲

tough a day ago | parent | next [-]

I think the main point is the WAF companies must have lobbied to get that into the checklist

the main point is you need to pay a third party

▲

CoffeeOnWrite a day ago | parent [-]

You can call your existing reverse proxy a WAF to check this checklist item. (Your point still stands, on the median companies may opt to purchase a WAF for various reasons.)

	▲	zelphirkalt 16 hours ago \| parent [-]
		Often it is just pushing responsibility.

▲

formerly_proven a day ago | parent | prev | next [-]

So does running McAfee on every POST body but some places really wanna do that regardless. (I at least hope the scanner isn't running in the kernel for this one).

	▲	jrockway a day ago \| parent [-]
		Yeah, we were asked to do this at my last job by some sort of security review. This one doesn't bother me as much. "Display 'network error' whenever a user uploads a file containing 'SELECT *'" is a bad user experience. "Some files in this repository have been flagged as containing a virus and are not visible in the web interface until allowed by an administrator," is OK with me, though.

▲

swyx a day ago | parent | prev | next [-]

sure but how much? 3-10ms is fine for the fast protection when shit hits the fan.

▲

thunderfork a day ago | parent | prev [-]

[dead]