标签:include 会话管理 api pre pac 访问 级别 local sam
1、应用服务级别的安全考虑
引入web安全中的十大安全方向:
OWASP: 开源web应用安全项目。Open Web Application Security Project
十大安全问题:
SQL 注入、失效的身份认证和会话管理、跨站脚本(xss)、失效的访问控制、安全配置错误、
敏感信息泄露、攻击检测与防护不足、跨站请求伪造(CSRF)、使用含有已知漏洞的组件、未受保护的API
2、应用级别安全选择
对比分析当下主流安全插件
naxsi、modlibsecurity
3、测试应用
4、数据分析
5、功能性用途:
为了解决 top 10 问题
6、加载规则
ModSecurity的企业赞助商TrustWave Spiderlabs提供的推荐的ModSecurity配置
Add Include directives in the main NGINX WAF configuration file (/etc/nginx/modsec/main.conf, created in Step 4 of Protecting the Demo Web Application) to read in the CRS configuration and rules. Comment out any other rules that might already exist in the file, such as the sample SecRule directive created in that section.
# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/REQUEST-901-INITIALIZATION.conf
官方网站的解释:
web application firewalld (WAF) 功能
标签:include 会话管理 api pre pac 访问 级别 local sam
原文地址:https://www.cnblogs.com/xiaohaizai/p/10064138.html