0 views collected around this technical thread.
This guide explains step‑by‑step how to set up a Web Application Firewall by installing LuaJIT, ngx_devel_kit, lua‑nginx‑module, compiling Nginx with Lua support, fixing common errors, and optionally using OpenResty, followed by configuring and testing the ngx_lua_waf module.
This article explains essential techniques to protect PHP applications from SQL injection attacks, covering prepared statements, input validation, ORM usage, escaping, stored procedures, permission restrictions, web application firewalls, and logging, with practical code examples for PDO, MySQLi, and Eloquent.
A seemingly tiny 8‑byte request body size restriction caused a production outage in a serverless education platform, leading the team through extensive debugging, discovery of an AWS WAF payload limit, and ultimately a fix that highlighted the importance of proper documentation and infrastructure awareness.
This guide explains how to build a dynamic IP blacklist using Nginx, Lua, and Redis, covering installation of LuaJIT, compiling Nginx with required modules, configuring Redis, writing Lua access‑limit scripts, and verifying that frequent requests are automatically blocked for a set period.
This article explains why web applications need a Web Application Firewall, introduces ModSecurity as a WAF for Nginx, and provides step‑by‑step installation, configuration, custom rule creation, and service restart commands to defend against attacks such as SQL injection and XSS.
The article delivers a technical overview of modern botnet threats, detailing the PBot and Xanthe families, their infection vectors, command‑and‑control operations, and provides practical detection, mitigation, and statistical analysis methods for defending against large‑scale DDoS, spam, and other malicious activities.
Tencent Cloud helped the viral game 《羊了个羊》 scale from 5,000 QPS to support over 100 million daily active users in a week by using serverless Kubernetes auto‑scaling, real‑time logging, WAF/Anti‑DDoS protection, CDN, and read‑write separation with Redis, achieving high performance, availability, and scalability.
The article details a step‑by‑step investigation of a form‑submission cross‑origin error in a front‑back separated system, tracing the HTTP request flow through DNS, Nginx, Tomcat, and finally identifying a WAF XSS rule that blocked a specific moduleExport field, and explains how the issue was resolved by adjusting the WAF configuration.
The article recounts a real‑world incident where a JSON POST from a front‑end domain triggered a cross‑origin 418 error because a Web Application Firewall’s XSS filter mistakenly blocked a JavaScript validator field, and after the security team modified the WAF rules the issue was resolved, highlighting systematic debugging and deep knowledge of DNS, Nginx, ingress, Tomcat and WAF layers.
This article provides a comprehensive analysis of SQL injection vulnerabilities, covering their principles, testing tools, repair methods, and defense strategies, with practical implementation guidance for secure web application development.
This article explains the differences between Next‑Generation Firewalls and Web Application Firewalls, highlighting the additional protection that a WAF—especially F5’s solution—provides for complex web applications and why combining both technologies offers comprehensive security.
This article examines the prevalence of SQL injection attacks, presenting Imperva’s recent statistics, common attack vectors, real-world examples, and practical defenses such as prepared statements, input sanitization, and web application firewalls, while also offering Python code illustrations of secure and insecure database queries.
This article examines the rise of web‑application firewalls, outlines common deployment challenges, compares several WAF operating modes—including bypass, layer‑2 transparent, and proxy architectures—and proposes load‑balancing strategies to achieve secure, high‑availability web services.
Boundary defense—protective measures at business and IT entry points such as firewalls, WAFs, and secure development lifecycles—provides early‑stage enterprises a clear perimeter through detection, response, protection, and policy, as illustrated by Youzan’s web‑gate WAF, SDL checkpoints, DNS monitoring, and automated security‑ticket processes, enabling a shift toward deeper, defense‑in‑depth strategies.
The article introduces major web security threats such as XSS, injection, CSRF, explains their mechanisms with examples, and presents defensive measures including input sanitization, HttpOnly cookies, web application firewalls, and encryption methods like hashing, symmetric and asymmetric cryptography.
This article describes Ctrip's challenges with web security, evaluates hardware and commercial cloud WAF shortcomings, and presents a low‑cost, low‑risk cloud‑based WAF solution that leverages DNS redirection, closed‑loop rule management, Lua/Tengine deployment, supervised machine‑learning log analysis, and big‑data streaming for real‑time threat detection and mitigation.
This article walks you through designing, installing, and configuring a custom WAF using Nginx and Lua (OpenResty), covering core modules, pain points of native Nginx security, code examples, deployment tips, and future enhancements for robust web protection.
The article presents a comprehensive list of one hundred concrete web‑application security techniques—ranging from HTTP request analysis and token validation to WAF rule conversion, honeypot deployment, IP reputation checks, and response‑time monitoring—derived from the book “Web Application Defender's Cookbook” and illustrated with real‑world examples and tool references.
The article presents a comprehensive list of one hundred practical web‑application defense techniques—ranging from HTTP request analysis and ModSecurity rule creation to honeypot deployment and automated threat intelligence—drawn from the under‑appreciated book “Web Application Defender’s Cookbook.”