[WEB SECURITY] Allow only certain urls to site
Gleb Paharenko
gpaharenko at gmail.com
Wed Jan 9 16:09:07 EST 2008
Hi.
Please could some one share own experience or thoughts about allowing
on site only limited set of
urls. I mean that access denied to any url which is not in list.
Number of regexps are minimal.
The list of allowed URLs can be found by logging user requests during
functionality testing.
Even more, we can try to determine only allowed set of GET and POST
parameters for each URL and prohibit other variants.
The question is - does it really makes sence for someone?
How much work overhead falls on system administrators and developers .
In which cases it is better to use separate server for filtering (with
mod_security perhaps), or implement some ACLS on the working instance.
Have somebody research performance penalties of such filtering with a
huge set of ACLS on different servers?
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list