ModSecurity Handbook: Getting Started - Bad Request
ModSecurity Handbook: Getting Started - Bad Request
ModSecurity Handbook: Getting Started - Bad Request
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Guiding Principles<br />
There are four guiding principles on which <strong>ModSecurity</strong> is based, as follows:<br />
Flexibility<br />
I think that it’s fair to say that I built <strong>ModSecurity</strong> for myself: a security expert who<br />
needs to intercept, analyze, and store HTTP traffic. I didn’t see much value in hardcoded<br />
functionality, because real life is so complex that everyone needs to do things<br />
just slightly differently. <strong>ModSecurity</strong> achieves flexibility by giving you a powerful rule<br />
language, which allows you to do exactly what you need to, in combination with the<br />
ability to apply rules only where you need to.<br />
Passiveness<br />
<strong>ModSecurity</strong> will take great care to never interact with a transaction unless you tell it<br />
to. That is simply because I don’t trust tools, even the one I built, to make decisions for<br />
me. That’s why <strong>ModSecurity</strong> will give you plenty of information, but ultimately leave<br />
the decisions to you.<br />
Predictability<br />
There’s no such thing as a perfect tool, but a predictable one is the next best thing.<br />
Armed with all the facts, you can understand <strong>ModSecurity</strong>’s weak points and work<br />
around them.<br />
Quality over quantity<br />
Over the course of six years spent working on <strong>ModSecurity</strong>, we came up with many<br />
ideas for what <strong>ModSecurity</strong> could do. We didn’t act on most of them. We kept them<br />
for later. Why? Because we understood that we have limited resources available at our<br />
disposal and that our minds (ideas) are far faster than our implementation abilities.<br />
We chose to limit the available functionality, but do really well at what we decided to<br />
keep in.<br />
There are bits in <strong>ModSecurity</strong> that fall outside the scope of these four principles. For example,<br />
<strong>ModSecurity</strong> can change the way Apache identifies itself to the outside world, confine the<br />
Apache process within a jail, and even implement an elaborate scheme to deal with a onceinfamous<br />
universal XSS vulnerability in Adobe Reader. Although it was I who added those<br />
features, I now think that they detract from the main purpose of <strong>ModSecurity</strong>, which is a<br />
reliable and predictable tool that allows for HTTP traffic inspection.<br />
Deployment Options<br />
<strong>ModSecurity</strong> supports two deployment options: embedded and reverse proxy deployment.<br />
There is no one correct way to use them; choose an option based on what best suits your<br />
circumstances. There are advantages and disadvantages to both options:<br />
Guiding Principles 7