(scalewithlee.substack.com)

603 points scalewithlee | 1 comments | 25 Apr 25 13:48 UTC | HN request time: 0.319s | source

Show context

robertlagrant ◴[25 Apr 25 16:34 UTC] No.43795642[source]▶

> This case highlights an interesting tension in web security: the balance between protection and usability.

This isn't a tension. This rule should not be applied at the WAF level. It doesn't know that this field is safe from $whatever injection attacks. But the substack backend does. Remove the rule from the WAF (and add it to the backend, where it belongs) and you are just as secure and much more usable. No tension.

replies(2): >>43795884 #>>43797396 #

worewood ◴[25 Apr 25 16:52 UTC] No.43795884[source]▶

>>43795642 #

There is a tension, but it's between paying enough to developers to actually produce decent code or pay a 3rd-party to firewall the application.

replies(1): >>43798491 #

1. marcosdumay ◴[25 Apr 25 21:03 UTC] No.43798491[source]▶

>>43795884 #

Again, there is no tension.

People will manage to circumvent the firewall if they want to attack your site. But you will still pay, and get both the DoS vulnerabilities created by the firewall and the new attack vectors in the firewall itself.

↑

Writing "/etc/hosts" breaks the Substack editor