NAME

Plack::Middleware::Security::Common - A simple security filter for with common rules.

VERSION

version v0.4.1

SYNOPSIS

  use Plack::Builder;

  # import rules
  use Plack::Middleware::Security::Common;

  builder {

    enable "Security::Common",
        rules => [
            archive_extensions, # block .tar, .zip etc
            cgi_bin,            # block /cgi-bin
            script_extensions,  # block .php, .asp etc
            unexpected_content, # block GET with body params
            ...
        ];

   ...

  };

DESCRIPTION

This is an extension of Plack::Middleware::Security::Simple that provides common filtering rules.

Most of these rules don't directly improve the security of your web application: they simply block common exploit scanners from getting past the PSGI layer.

See "EXPORTS" for a list of rules.

EXPORTS

archive_extensions

This blocks requests with common archive file extensions in the path or query string.

cgi_bin

This blocks requests that refer to the cgi-bin directory in the path or query string, or a cgi_wrapper script.

dot_files

This blocks all requests that refer to dot-files or .., except for the /.well-known/ path.

misc_extensions

This blocks requests with miscellenious extensions in the path or query string.

non_printable_chars

This blocks requests with non-printable characters in the path.

null_or_escape

This blocks requests with nulls or escape chatacters in the path or query string.

require_content

This blocks POST or PUT requests with no content.

This was added in v0.4.1.

script_extensions

This blocks requests that refer to actual scripts, file file extension, such as .php or .asp. It will also block requests that refer to these scripts in the query string.

system_dirs

This blocks requests that refer to system directories in the path or query string.

unexpected_content

This blocks requests with content bodies using methods that don't normally have content bodies, such as GET or HEAD.

Note that web sites which do not differentiate between query and body parameters can be caught out by this. An attacker can hit these website with GET requests that have parameters that exploit security holes in the request body. The request would appear as a normal GET request in most logs.

webdav_methods

This blocks requests using WebDAV-realted methods.

wordpress

This blocks requests for WordPress-related pages.

SOURCE

The development version is on github at https://github.com/robrwo/Plack-Middleware-Security-Simple and may be cloned from git://github.com/robrwo/Plack-Middleware-Security-Simple.git

BUGS

Please report any bugs or feature requests on the bugtracker website https://github.com/robrwo/Plack-Middleware-Security-Simple/issues

When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.

Suggestions for new rules or improving the existing rules are welcome.

AUTHOR

Robert Rothenberg <rrwo@cpan.org>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2014,2018-2020 by Robert Rothenberg.

This is free software, licensed under:

  The Artistic License 2.0 (GPL Compatible)