<@U06V02D5Y> You should consider implementing some...
# cfml-generall
luongj
04/29/2022, 4:14 PM@nickg You should consider implementing something higher up so it doesn't even hit your app server -- either modesecurity at your webserver level, a reverse proxy behind your load balancer, or something external like CloudFlare outside your perimeter. I've actually worked on a lot of this stuff lately.
n
nickg
04/29/2022, 5:01 PM@luongj I would be interested in Cloudflare. Do you know if they have a free tier? How is the pricing.
nickg
04/29/2022, 5:04 PM@luongj re: modsecurity, that looks like a unix tool. we're using IIS at the moment - do you know if there is a similar tool in IIS?
l
luongj
04/29/2022, 5:05 PMRE: CloudFlare, haven't worked with them, but they are very popular and have a free tier, but you probably want to go to at least the Pro Tier to get the WAF. I'm not sure if the "Free Managed Ruleset" will get you there.
https://www.cloudflare.com/plans/#overview
luongj
04/29/2022, 5:06 PMI haven't worked with IIS in forever, but it looks like there is a module there for you, too. https://wiki.atomicorp.com/wiki/index.php/Modsecurity_iis
n
nickg
04/29/2022, 5:07 PM@luongj Thank you. Are these issues that you are actively managing / mitigating? If so, how? If not, again, I really appreciate the info.
l
luongj
04/29/2022, 5:10 PM@nickg For some context, I work on an ecommerce platform on Google Cloud. We historically used Akamai (which is basically the same place as where CloudFlare sits), but now use a combination of Google Cloud security services (pretty weak), Apache+modsecurity, and a reverse-proxy based on nginx called Wallarm.
I recently evaluated some others. If you don't want to air out specifics of your context, you can DM me.
n
nickg
04/29/2022, 5:17 PM@luongj Thanks! That's very helpful.