top | item 39167124

(no title)

1B05H1N | 2 years ago

I work in application/product security and have managed WAFs for multi-billion dollar companies for many many years.

Move DNS to Cloudflare and put a few WAF rules on your site (managed challenge if bot score less than 2 / attack score == x). I doubt you'll even pay anything, and it will resolve a lot of your problems. Just test it before moving it to production please (maybe setup a test domain). Remember, a WAF is not an end-all be all, it's more of a band-aid. If you app isn't hardened to handle attacks, no amount of advanced WAF/bot protection will save it.

Message/email me if you need help.

discuss

CharlesW|2 years ago

I was unfamiliar with this, so for anyone who's in a similar position: https://blog.cloudflare.com/waf-for-everyone/

The Free Managed Ruleset appears to be deployed by default, and Cloudflare keeps a changelog here: https://developers.cloudflare.com/waf/change-log

93n|2 years ago

Selfhoster here. I use mutual TLS rules with CloudFlare's WAF to filter out everyone but my known-good callers. Works great. Since the only folks with access are my family, it was pretty easy to setup as well (everyone gets a unique cert that I can revoke if need be).

asabla|2 years ago

Usually I only manage internal facing applications these days, which makes the attack surface greatly reduced compare to public ones.

But since you seem to have a lot of knowledge in this area. Have you manage solutions which also includes infrastructure in Azure combined with Cloudflare?

And if so, any suggestions on things people usually miss? except for the usual stuff of OWASP and what not

cloudking|2 years ago

This works well for standard WordPress sites, throw in GuardGiant and Sucuri plugins for extra layers.

ozim|2 years ago

Putting WAF on app and calling it a day is indeed putting lipstick on a pig.

I can imagine that might be needed if some company for some reason has to run some not really up to date stuff but yeah it is just a bandaid.

418tpot|2 years ago

[flagged]

dang|2 years ago

Can you please not post in the flamewar style? It's not what this site is for, and destroys what it is for.

You're welcome to make your substantive points thoughtfully but it needs to be within the rules. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

chaxor|2 years ago

Agreed

We should be suggesting self hosted and decentralized solutions to website hosting and file hosting.

On that note, does anyone have any secure methods of providing serving a file from your computer to anyone with a phone/computer that doesn't require them downloading/installing something new? Just a password or something? Magic-wormhole almost seems great, but it requires the client to install wormhole (on a computer, not phone), and then type specific commands along with the password.

Is there a simple `iroh serve myfile.file` from server and then client goes to https://some.domain.iroh/a086c07f862bbe839c928fce8749 and types in a password/ticket you give them?

That would be wonderful.

esafak|2 years ago

You criticize but don't offer suggestions. What do you use instead of Cloudflare?

redcobra762|2 years ago

It’s kind of an absurd notion to think the Internet would just allow Cloudflare to make any kind of unilateral decisions like what you suggest.

NicoJuicy|2 years ago

> Once Cloudflare starts using attestation to block anyone not on Chrome/iOS Safari it'll be too late to do anything about it.

That's just plain bs...

1) they have customers and their customers want protection, with minimal downsides.

2) Cloudflare is the only one with support for Tor. I'm 100% sure you didn't knew that.

What "examples" do you have to blame them for something they aren't doing? Based on what?

I'm getting tired of people blaming Cloudflare for providing a service that no one else can provide for free to small website owners => DDOS protection.

solumunus|2 years ago

> Hacker news is so funny, they complain about the amount of power we've allowed Google, Amazon, and Microsoft to have, and then go right around and recommend putting everything behind Cloudflare.

It’s almost as if those saying contradictory things are actually different people despite being on the same website. But it can’t be that, surely? Truly a perplexing phenomenon that I hope someone can one day explain.