https://lwn.net/Articles/708673/ This is a special feed containing comments posted to the individual LWN article titled "ModSecurity for web-application firewalls". en-us Thu, 09 Oct 2025 00:33:24 +0000 Thu, 09 Oct 2025 00:33:24 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/709580/ https://lwn.net/Articles/709580/ dune73 <p>It is tempting to do the full input validation via ModSecurity rules. But the client and the application are in a much better position to do so.</p> <p><i>Not having a surname</i> is a typical example. It's up to the application to decide what to do with such a registration. ModSecurity should concentrate on security and leave people without a surname alone.</p> Sun, 18 Dec 2016 04:57:27 +0000 https://lwn.net/Articles/709544/ https://lwn.net/Articles/709544/ anselm <p> Actually, people may not even <em>have</em> surnames. Fortunately the original regex takes that into account; let's hope that the actual application does, too. </p> Sat, 17 Dec 2016 11:15:22 +0000 https://lwn.net/Articles/709533/ https://lwn.net/Articles/709533/ dune73 <div class="FormattedComment"> Sure thing. It's a simple example with a simple regex. <br> <p> The real world rules for free text fields are a bit more complex.<br> </div> Sat, 17 Dec 2016 04:50:10 +0000 https://lwn.net/Articles/709478/ https://lwn.net/Articles/709478/ smurf <div class="FormattedComment"> Surnames may have spaces, non-ASCII letters, apostrophes, and whatnot. Summary: Please don't do that.<br> </div> Fri, 16 Dec 2016 16:49:33 +0000