This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Filters"
(introducing the idea of an ESAPI WAF) |
m (refactored) |
||
Line 3: | Line 3: | ||
ESAPI currently employs filters to accomplish a number of security features, including authentication and CSRF protection. However, the idea was broached that an ESAPI filter could be established to perform other security functions. | ESAPI currently employs filters to accomplish a number of security features, including authentication and CSRF protection. However, the idea was broached that an ESAPI filter could be established to perform other security functions. | ||
− | |||
− | |||
== Possible Enhancements == | == Possible Enhancements == | ||
− | * | + | * ESAPI WAF |
+ | One of the core ideas was introducing a filter that optionally performs virtual patching and other capability typically found in commercial and open source web application firewalls. While the goal of ESAPI wouldn't be to compete directly with any projects dedicated to WAF functionality, it could still perform many important WAF types of functions without a large amount of code introduced. | ||
+ | |||
+ | Customers who have automated penetrate-and-patch operations could optimize their use of ESAPI with this functionality. Although the filter itself would be relatively small, there will need to be a web application to manage its rules that will require more work. | ||
− | * | + | * See the Session Management section for new, smarter, CSRF capabilities that may be introduced by a filter |
Latest revision as of 14:47, 11 December 2008
Feature Overview
ESAPI currently employs filters to accomplish a number of security features, including authentication and CSRF protection. However, the idea was broached that an ESAPI filter could be established to perform other security functions.
Possible Enhancements
- ESAPI WAF
One of the core ideas was introducing a filter that optionally performs virtual patching and other capability typically found in commercial and open source web application firewalls. While the goal of ESAPI wouldn't be to compete directly with any projects dedicated to WAF functionality, it could still perform many important WAF types of functions without a large amount of code introduced.
Customers who have automated penetrate-and-patch operations could optimize their use of ESAPI with this functionality. Although the filter itself would be relatively small, there will need to be a web application to manage its rules that will require more work.
- See the Session Management section for new, smarter, CSRF capabilities that may be introduced by a filter