if you have ever been curious about running a web application firewall (WAF) in front of Mastodon or other fediverse instance, i've published a repo containing the #openappsec policy we're now using to to maximize privacy.
-
if you have ever been curious about running a web application firewall (WAF) in front of Mastodon or other fediverse instance, i've published a repo containing the #openappsec policy we're now using to to maximize privacy. i've recently turned on prevent mode, blocking critical events
https://code.disobey.net/dd/ap-waf
there's a lot of skip exceptions needed in order to not block required ActivityPub transactions. even things like changing a password in Mastodon is seen as a critical (false) positive
given the number of skip exclusions, there's a lot of attack surface that admins won't be able to action on since so much of ActivityPub looks malicious, and a targeted attack could easily take advantage of these necessary skip policies
i'm curious if any ActivityPub devs have ever run a WAF in front of their instance, and curious if any improvements can be made to the spec to reduce transactions that look like malicious behavior
i have to trust that for the ActivityPub exclusions, Mastodon properly sanitizes inputs and so the overall risk is still low
either way, this is a big win for overall risk reduction for anyone serious about protecting their community
-
T tag-activitypub@relay.fedi.buzz shared this topic on
-
if you have ever been curious about running a web application firewall (WAF) in front of Mastodon or other fediverse instance, i've published a repo containing the #openappsec policy we're now using to to maximize privacy. i've recently turned on prevent mode, blocking critical events
https://code.disobey.net/dd/ap-waf
there's a lot of skip exceptions needed in order to not block required ActivityPub transactions. even things like changing a password in Mastodon is seen as a critical (false) positive
given the number of skip exclusions, there's a lot of attack surface that admins won't be able to action on since so much of ActivityPub looks malicious, and a targeted attack could easily take advantage of these necessary skip policies
i'm curious if any ActivityPub devs have ever run a WAF in front of their instance, and curious if any improvements can be made to the spec to reduce transactions that look like malicious behavior
i have to trust that for the ActivityPub exclusions, Mastodon properly sanitizes inputs and so the overall risk is still low
either way, this is a big win for overall risk reduction for anyone serious about protecting their community
@yawnbox@disobey.net some of the NodeBB forums I run sit in front of CloudFlare, although a lot of what they do is opaque to me.
The instance I am on does not go through CF, but I have deployed Anubis in order to stem bot and AI crawler traffic.
For the latter there are some adjustments that needed to be made for AP specifically.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login