Discourse security

(Ghost53574) #1

I’ve read a couple threads on discourse web application security but haven’t come across a topic the delves into if a WAF would help in the case of Discourse or not. I think it could be it really all depends on the developers I guess, I mean my firewall rules already have the fw_snort rules and is managed by a script that gets ran everyday, with the automatic management of IP bans I only see the practical use of a WAF in very few cases. But I am no expert on this topic and any input would be much appreciated so that fellow users of frameworks and rules such as mod_security will understand the implications with Discourse.

TL;TC: Is mod_security, or another WAF, required or beneficial to Discourse? @codinghorror

Thank you

(Jeff Atwood) #2

I don’t really understand what your question is? Can you be more specific? Maybe provide some real world examples?

(Kane York) #3

A web application firewall has a high chance of screwing stuff up. Discourse is largely immune to SQLi due to heavy use of ActiveRecord and low use of raw SQL (just in the perf-sensitive areas). All you would be doing is preventing certain posts from being created (e.g. `<script>alert(1)</script>` is a valid thing to put in a post).

(Ghost53574) #4

Alright, just wanted some input. Thank you