On 8/22/06, Ian Holsman <[EMAIL PROTECTED]> wrote: > On 21/08/2006, at 9:24 PM, [EMAIL PROTECTED] wrote: > > @ Ahmad - mod_security (modsecurity.org) is fantastic, and I highly > > recommend installing it on all apaches, but filtering content at the > > webserver level is a sledgehammer approach and should only be done for > > *really* bad content (e.g. known exploits, spam bots etc) > > > you should be doing filtering exactly the opposite way than this. > > You deny everything by default, and have holes added when you need them. > and when you poke a hole you have a reference to why it is required > (ie what module needs a particular variable unfiltered) > > Things which you don't know will hurt you unfortunately. and by > using deny by default with a big sledgehammer will > stop a lot of these things before they even touch your code. > > doing it the other way requires a conscious effort to maintain the > firewall, and you won't know when you are failing.
Obviously, mod_security is not the only solution, it will just provide some extra security. I don't think that it is a flawed method of security by itself, this is the same model used in anti-virus, anti-spyware and spam protection. You maintain a long list of known threats that you test against. I can argue that the kind of passive security you are talking about, as in everything is denied by default, is already present in Django. It is not like variables are passivly going all the way to your templates and being randomly embedded in there. You are actively passing a variable to the template through context and embedding it at certain places. You are just poking a hole in this firewall. But if you keep poking holes in all the wrong places, then it is not the frameworks fault. Autoescaping might be a nice DRY feature, but I don't think it has anything to do with being secure by default. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
