Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
1
-
Description
NOTE: This suggestion is for Confluence Server and Data Center.
Problem Definition
Currently Confluence seems not to be 100% compatible with the security rule specs defined in OWASP ModSecurity Core Rule Set (CRS).
The rule set is not only used by apache mod_security, but also is used by a big number of content distribution network (CDNs) providers and also by major cloud service providers like Microsoft Azure Application Gateway web application firewall.
Suggested Solution
Need to make Confluence more compatible with the OWASP WAF rule set: https://coreruleset.org/faq/
Why this is important
- Enterprise customers using CDNs and Cloud services such as MS Azure are more likely to enable OWASP WAF rules on their infrastructure, with Confluence not able to be 100% compatible, those rules will prevent some Confluence functionalities from working as expected.
Enforcing WAF rules is very useful for businesses as it makes their infrastructure more robust against attacks.
Workaround
In some instances downgrading the OWASP version from 3.0.0 to 2.2.9 in the WAF rules have fixed the 400 Bad Request we got from the Azure Application Gateway WAF.
Attachments
Issue Links
- is related to
-
- Gathering Interest
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-