@nickg You should consider implementing something higher up so it doesn't even hit your app server -- either modesecurity at your webserver level, a reverse proxy behind your load balancer, or something external like CloudFlare outside your perimeter. I've actually worked on a lot of this stuff lately.
n
nickg
04/29/2022, 5:01 PM
@luongj I would be interested in Cloudflare. Do you know if they have a free tier? How is the pricing.
nickg
04/29/2022, 5:04 PM
@luongj re: modsecurity, that looks like a unix tool. we're using IIS at the moment - do you know if there is a similar tool in IIS?
l
luongj
04/29/2022, 5:05 PM
RE: CloudFlare, haven't worked with them, but they are very popular and have a free tier, but you probably want to go to at least the Pro Tier to get the WAF. I'm not sure if the "Free Managed Ruleset" will get you there.
https://www.cloudflare.com/plans/#overview
@luongj Thank you. Are these issues that you are actively managing / mitigating? If so, how? If not, again, I really appreciate the info.
l
luongj
04/29/2022, 5:10 PM
@nickg For some context, I work on an ecommerce platform on Google Cloud. We historically used Akamai (which is basically the same place as where CloudFlare sits), but now use a combination of Google Cloud security services (pretty weak), Apache+modsecurity, and a reverse-proxy based on nginx called Wallarm.
I recently evaluated some others. If you don't want to air out specifics of your context, you can DM me.