2026-06-07 –, ZKM Medientheater Language: English
Web Application Firewalls (WAFs) for filtering based on HTTP and payload are omnipresent. In this talk an argument will be made that, in many cases, the wrong approach for implementing WAFs is chosen: They are implemented as "deny firewalls" which specifically forbid "bad" traffic based on pattern rules, while for network security (layers 3/4) professionals would only ever follow an "allow firewall" approach, which explicitly lets "good" traffic pass and denies everything else.
"deny WAFs" are oftentimes marketed as simple, easy to use, out-of-the-box solutions, but, by design, they can only prevent known exploits. Also, practical aspects limit their potential, when rulesets breaking functionality have to be disabled.
While the "allow WAF" approach presented here implies more effort, its main advantage is protection against new attack vectors ("zero days") and it comes with a lot of side benefits, such as improved performance and resilience through caching.
Concepts will be introduced:
* HTTP Basics
* Signed URLs / signed requests
* Regular Expressions
* HTTP Caching
Practical examples with Vinyl Cache will be presented:
* Rules based on HTTP method and URL
* Header filtering
* Regular Expressions on body data
Born between epochs (1<<27) and (1<<28), slink got known as a teen for the 0130 list of German toll free numbers, which served as a helpful tool to many phreaks. Since then he has run three ISPs and a datacentre, before getting into performance and availability engineering. He is currently one of three maintainers of the FOSS Vinyl Cache project and grateful part of the best small company ever.