Barry, On Thu, May 12, 2016 at 10:01:53AM +0100, Barry Pollard wrote: > I had a look at this rule before and am not a fan. > CSRF_TOKEN's > should come from the app in my mind and not the WAF. However > ModSecurity does have a method of using them, which is an interesting > proof of concept, but I think it's flaky for a number of reasons.
Thank you for sharing your experience / observations. This was exactly my impression of this rule as well. I have sites in production that use persistent collections and prepend/append constructs. But the scope is very limited and none is high traffic. So yes, this can be made to work, but it's a road that is rarely travelled. It's kind of adventurous. Ahoj, Christian -- If you have men who will only come if they know there is a good road, I don't want them. I want men who will come if there is no road at all. -- David Livingstone _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
