mod-security-users

[mod-security-users] Recommeded vs Minimum Configuration

[Ann H. <sea...@ha...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is just a question between the difference between the recommended minimum
configuration in the documentation and the minimum configuration for httpd.conf
in the distribution.

DOCUMENTATION:
SecFilterCheckCookieFormat Off

(Includes HEAD and a semicolon at the end)
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

DISTRIBUTION COPY:
SecFilterCheckCookieFormat On

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"




Also is default status code 403 (forbidden) a better choice than 500 (server
bad) as I have seen 500 recommended in an article.


Thanks,
Beginning mod_security user and small-time webmaster
Ann

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCL5o7hs7JGk93PT0RAg9bAKC2OiKsymYvmLidX8ksOKMvF4Ua4gCguJas
VqTQ0A38mJmSdKSXlAl4Hc0=
=l8el
-----END PGP SIGNATURE-----

Re: [mod-security-users] Recommeded vs Minimum Configuration

[Ivan R. <iv...@we...>]

Ann Hopkins wrote:
> DOCUMENTATION:
> SecFilterCheckCookieFormat Off

   Since 1.8.7 the SecFilterCheckCookieFormat directive does
   nothing (read about it in the manual). I don't see this
   changing in the future.


> (Includes HEAD and a semicolon at the end)
> # Only accept request encodings we know how to handle
> # we exclude GET requests from this because some (automated)
> # clients supply "text/html" as Content-Type
> SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
> SecFilterSelective HTTP_Content-Type \
> "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

   This is better. HTTP clients are not required to send a
   Content-Type header when HEAD is used.

   The semicolon at the end is not very important - I am yet
   to encounter a valid HTTP client that does not use it.


> Also is default status code 403 (forbidden) a better choice than 500 
> (server bad) as I have seen 500 recommended in an article.

   They are the same. 500 is somewhat "more stealthy" because
   it could be interpreted as internal error (and error often
   occur when someone is trying to hack). 403 implies the web
   server determined the request may be bad in some way.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org