hosts" breaks the Substack editor

(scalewithlee.substack.com)

603 points scalewithlee | 2 comments | 25 Apr 25 13:48 UTC | HN request time: 0.461s | source

Show context

paxys ◴[25 Apr 25 14:09 UTC] No.43793735[source]▶

This isn't a "security vs usability" trade-off as the author implies. This has nothing to do with security at all.

/etc/hosts

See, HN didn't complain. Does this mean I have hacked into the site? No, Substack (or Cloudflare, wherever the problem is) is run by people who have no idea how text input works.

replies(5): >>43793752 #>>43793805 #>>43793852 #>>43793880 #>>43794047 #

1. eli ◴[25 Apr 25 14:19 UTC] No.43793852[source]▶

>>43793735 #

It's a text string that is frequently associated with attacks and vulnerabilities. In general you want your WAF to block those things. This is indeed the point of a WAF. Except you also don't want it to get in the way of normal functionality (too much). That is what the security vs usability trade off is.

This particular rule is obviously off. I suspect it wasn't intended to apply to the POST payload of user content. Perhaps just URL parameters.

On a big enough website, users are doing weird stuff all the time and it can be tricky to write rules that stop the traffic you don't want while allowing every oddball legitimate request.

replies(1): >>43796052 #

2. SonOfLilit ◴[25 Apr 25 17:04 UTC] No.43796052[source]▶

>>43793852 (TP) #

Your auditor wants your WAF to block those things. _You_, at least I, never ever want to have a WAF at all, as they cause much more harm than good and, as a product category, deserve to die.

↑