Excellent. I think this is an excellent, very specific solution.
On 9/10/2020 07:58, Ken Fallon wrote:
I applied a rewrite rule as shown here
https://blog.paranoidpenguin.net/2018/12/how-to-remove-facebooks-fbclid-parameter-using-mod_rewrite-on-apache-2-4/
So now facebook links will work.
Wouldn't accepting parameters from others pose a security problem? I
tend to think it expands the attack surface.
On 2020-09-10 00:10, Cedric De Vroey wrote:
No it doesn't really, as long as you use named parameters, and as long
as you implement proper sanitation on those parameters you should be
fine from a security perspective.
I agree if you mean just adding this one extra parameter.
I disagree if you mean allowing any extra parameters. Checking that the
parameter match our allowable list is part of a good defense in depth
strategy. By triggering this check, we know the person is an attacker,
and can use that information as part of our defense.
However, there are privacy concerns
that could be made over this practice since it could be used to track users.
This looks like an attempt to bypass the EU cookie law.
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
_______________________________________________
Hpr mailing list
Hpr@hackerpublicradio.org
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
