←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 2 comments | 25 Apr 25 13:48 UTC | HN request time: 0.001s | source
Show context
robertlagrant ◴[25 Apr 25 16:34 UTC] No.43795642[source]
> This case highlights an interesting tension in web security: the balance between protection and usability.

This isn't a tension. This rule should not be applied at the WAF level. It doesn't know that this field is safe from $whatever injection attacks. But the substack backend does. Remove the rule from the WAF (and add it to the backend, where it belongs) and you are just as secure and much more usable. No tension.

replies(2): >>43795884 #>>43797396 #
1. myflash13 ◴[25 Apr 25 19:03 UTC] No.43797396[source]
I would say it’s a decent security practice to apply WAF as a blanket rule to all endpoints and then remove it selectively when issues like this occur. It’s much, much, harder to evaluate every single public facing endpoint especially when hosting third party software like Wordpress with plugins.
replies(1): >>43797998 #
2. SonOfLilit ◴[25 Apr 25 20:05 UTC] No.43797998[source]
I don't agree. WAFs usually add more attack surface than they remove.

https://www.macchaffee.com/blog/2023/wafs/

Of course, Wordpress is basically undefendable, so I'd never ever host it on a machine that has anything else of value (including e.g. db credentials that give access to much more than the public content on the WP installation).