if you have ever been curious about running a web application firewall (WAF) in front of Mastodon or other fediverse instance, i've published a repo containing the #openappsec policy we're now using to to maximize privacy. i've recently turned on prevent mode, blocking critical events
https://code.disobey.net/dd/ap-waf
there's a lot of skip exceptions needed in order to not block required ActivityPub transactions. even things like changing a password in Mastodon is seen as a critical (false) positive
given the number of skip exclusions, there's a lot of attack surface that admins won't be able to action on since so much of ActivityPub looks malicious, and a targeted attack could easily take advantage of these necessary skip policies
i'm curious if any ActivityPub devs have ever run a WAF in front of their instance, and curious if any improvements can be made to the spec to reduce transactions that look like malicious behavior
i have to trust that for the ActivityPub exclusions, Mastodon properly sanitizes inputs and so the overall risk is still low
either way, this is a big win for overall risk reduction for anyone serious about protecting their community