Cs-Cart Saids I Don't Need The Waf

When I attempt to enter settings for a block in the admin layout view I get an error. I am under CS-Cart support period, they tell me it relates to MOD-Security but the hosting provider saids that module is not active. From what I have been able to work out cs-cart script calls are sees as suspicious requests by the WAF and so are blocked (are getting considered as XSS attacks). All works fine when I turn the WAF off, which cs-cart saids isn't a problem because of their in-built security ... is that the case?

The WAF (Web Application Firewall) is a very complex and dangerous thing (you can break your store), which for the most part is not used the way it was meant to be used. Most (and let's face it, we do too) use WAF on a “deny list” principle, which means that what is forbidden is blocked. In fact, it has to be configured exactly the other way around, according to “allow list” principle and that approach is very difficult because you have to describe all the requests, all the forms, all the stuff and then block absolutely everything that doesn't fit into that condition. And what to do after installing new add-ons)))))), I think you understand how it increases the complexity of integrating WAF into your store.
If you decide to configure WAF and try to protect your project, keep track of all logs and blocking triggers because false positives often occur at the beginning. For example, NAXSI https://github.com/nbs-system/naxsihas a learning mode that logs everything that would work but does not block it, this is a good way to start. But I want to warn you – CS-Cart doesn't work with basic NAXSI rules :)
By the way, you can try https://www.cloudflare.com/waf/it's easy to configure and maintain, but cost a lot if you would like to make a tiny tweaking.
1 Like

Forgive my rudeness, just caught the response, many thanks for the detail :slight_smile: