Chapter 9. Protecting a Web Application
In this chapter, we will use the knowledge we have gained about ModSecurity to implement a protective ruleset for a real-world web application. The ruleset will be based on a positive security model, so anything which is not explicitly allowed through will be denied. You can compare the positive security model to a bouncer standing guard at a popular club. In his hand he has a list of all the celebrities that are allowed into the club. Anyone not on this list is denied entry. The positive security model works the same way—we explicitly define what is allowed and reject everything else.
We encountered the positive security model in the previous chapter when we saw how it could be implemented using the graphical Remo tool. However, for this chapter we will write the rules by hand to get a feel for how the details of this sort of security model are implemented in practice.
