ModSecurity VS cms

First of all, if you have any experience with Traefik, I'd suggest you to do the reverse proxy stuff with it and install the Crowdsec instance along it. As I didn't have experience using Traefik I went with NPM but now I guess it would have been easier considering the research I had to do... Another reason is, I wanted to implement a geo block and/or another security layer by using ModSecurity (https://github.com/SpiderLabs/ModSecurity ) besides Crowdsec too. Afaik Traefik has a plugin that integrates ModSecurity easily - unless NPM.

I don't know about Blackboard, but Moodle will allow quizzes to be run in popups that block most extensions from working; lockdown browsers will block such extensions; and, if you have access to the server, a modified firewall (e.g., ModSecurity) may\* allow blocking this and similar extensions.

> ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity

This might be of interest to some: https://www.modsecurity.org/

> Trustwave is announcing the End-of-Life (EOL) of our support for ModSecurity effective July 1, 2024. We will then hand over the maintenance of ModSecurity code back to the open-source community.

Probably not too big of a deal, though.

Also, this might be useful: https://owasp.org/www-project-modsecurity-core-rule-set/

Though there has been some critique of ModSecurity and that ruleset in the past, as something dated and with false positives.

Anyone have any good alternatives?

Is there a reason no one hasn't made a Docker template for OWASP Coraza (https://github.com/corazawaf/coraza) or ModSecurity (https://github.com/SpiderLabs/ModSecurity) for the use of a reverse proxy?

Since Nginx has different use cases, protecting your application depends on how and where you use it. It's recommended that you have a reliable WAF solution since they block most harmful requests in the first place. In this article, you'll compare three tools—ModSecurity, F5 Nginx App Protect, and open-appsec—based on their active development, advanced security features, and open source commitment to help you figure out which tool is right for you.

I'm currently erring toward ModSecurity & the Nginx connector now that it's been de-Apache'd.

Is anyone on HN doing WordPress administration? I recently 'inherited' a webshop built on WP/WooCommerce, and all the conflicting security advice in the WP space is making my head spin.

There are a dozen competing 'security' plugins, with some saying 'you don't need any of them, WP is secure enough by default', and others saying 'you actually need ModSecurity [1] / Jeff Starr's nG firewall [2]'.

The agency that (shoddily...) built the webshop installed Wordfence Free [3], so I've just kept that for now, though I feel it's kind of slow (but that might just be caused by the bottom-of-barrel performance of the shared webhost it's currently running on).

[1] https://github.com/SpiderLabs/ModSecurity

[2] https://perishablepress.com/7g-firewall/

[3] https://www.wordfence.com/

By Web Firewall did you mean smth like this ?

Statamic is one of the best flat-file CMSs. It’s built with Laravel and can be used as a headless Git-based CMS as well. The paid professional version allows you to use REST APIs and GraphQL APIs for content management and offers a GitHub integration for content storage and editorial workflows.

Aah, that's always a controversial question, on one hand, some universal rules of usability do exist, but on the other hand, everyone's habits, taste and use cases are very different.

The most neutral definition of a "well designed" website, without any further context, could be "created in a way that helps users achieve intended goals efficiently, while keeping max number of users happy about its look".

Again, different audiences will have very different answers. Here at HN, sites like https://www.mcmaster.com/ and https://www.craigslist.org win – because HN users appreciate old look and how efficient these sites are.

https://www.apple.com/ is an industry standard of a marketing site for consumer tech. It's not universally "well designed".

Other examples of well done marketing pages: https://www.sketch.com/ ; https://statamic.com/ ; https://linear.app/ got its share of hype recently.

Other times, a website is well designed because its content is awesome and is easy to consume. See https://ciechanow.ski/ and https://www.joshwcomeau.com/

Is https://github.com/ well designed? As an amateur developers, I'd say yes.

Is https://htmx.org/ well designed? Hmm, at a glance, there's no design at all. Is no design also design? That's a rabbit hole.

P.S. I often hear my website is well-designed :-)

Local CMSs are the ones that are mostly file-based (like Statamic or Astro). This means that you can edit everything locally and deploy the data. This way, our CMS is more secure, but on the downside, you have to have a local server working, and you might experience more conflicts, especially when two people will work on the same article (although Git might save you from many of those). It also means that there is a higher learning curve. A remote CMS works somewhere on a server, and most users don't care how.

I use Statamic, the free version will do everything your looking for and it can be as simple or as complex as you need it to be. It's flat file based (by default) too so deployment / version control is super easy.

Statamic (PHP / Laravel)

I'm not in the market for a CMS but if I were I'd likely go with https://statamic.com/ if I needed to build something from scratch.

If you're looking for a great CMS and were bitten by WordPress back in the day, you should take a look at Statamic (https://statamic.com)

It's a Laravel package and it's the best CMS I've ever used (from a dev perspective). v4 just dropped the other day

https://statamic.com free for personal. Your welcome.