| ▲ | kiitos a day ago | |
And a rule that denies everything blocks all vulnerabilities entirely. A false positive from a conservative evaluation of a query parameter or header value is one thing, conceivably understandable. A false positive due to the content of a blog post is something else altogether. | ||
| ▲ | afiori a day ago | parent [-] | |
This is a strawman, especially if like the parent claims this was improving security for one of the most popular website backends ever. Rules like this might very well have had incredible positive impact on ten of thousands of websites at the cost of some weird debugging sessions for dozens of programmers (made up numbers obviously). | ||