Doesn't it also add latency to every request?

formerly_proven 8 months ago | parent | next [-]

So does running McAfee on every POST body but some places really wanna do that regardless. (I at least hope the scanner isn't running in the kernel for this one).

	▲	jrockway 8 months ago \| parent [-]
		Yeah, we were asked to do this at my last job by some sort of security review. This one doesn't bother me as much. "Display 'network error' whenever a user uploads a file containing 'SELECT *'" is a bad user experience. "Some files in this repository have been flagged as containing a virus and are not visible in the web interface until allowed by an administrator," is OK with me, though.

▲

tough 8 months ago | parent | prev | next [-]

I think the main point is the WAF companies must have lobbied to get that into the checklist

the main point is you need to pay a third party

▲

CoffeeOnWrite 8 months ago | parent [-]

You can call your existing reverse proxy a WAF to check this checklist item. (Your point still stands, on the median companies may opt to purchase a WAF for various reasons.)

	▲	zelphirkalt 8 months ago \| parent [-]
		Often it is just pushing responsibility.

▲

swyx 8 months ago | parent | prev | next [-]

sure but how much? 3-10ms is fine for the fast protection when shit hits the fan.

▲

thunderfork 8 months ago | parent | prev [-]

[dead]