Re: [mod-security-users] Mandatory headers (protocol anomalies)
Brought to you by:
victorhora,
zimmerletw
From: Marc S. <mar...@ad...> - 2007-06-15 12:30:38
|
Barnett, I agree that everybody should adapt the rules for their own usage, but I was just suggesting that the core rules you release could be "closed by default", as all specialists recommend. In case a user upgrades the core rules, he may introduce a security hole, which may never be noticed. Marc Ryan Barnett wrote: > Marc, > Making the decision to change any action from detection-only to actually > blocking is something that each Mod user will have to determine > themselves. As you mentioned, these rules are here for a reason as the > RFC states that these headers are mandatory. The problem is that there > are some legitimate clients (handheld devices with browser capability > for instance) that don't always send these headers. > > After running these rules for awhile and analyzing the results, if you > feel that the vast majority of alerts are valid then you can go ahead > and switch to deny mode. > > FYI - the status action will only be used when a disruptive action is > specified. > > |