8000 Monthly Chat Agenda March 2025 (2025-03-03) · Issue #4033 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda March 2025 (2025-03-03) #4033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fzipi opened this issue Mar 3, 2025 · 1 comment
Closed

Monthly Chat Agenda March 2025 (2025-03-03) #4033

fzipi opened this issue Mar 3, 2025 · 1 comment
Labels
🔖 Meeting Agenda

Comments

@fzipi
Copy link
Member
fzipi commented Mar 3, 2025
edited by RedXanadu
Loading

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on the first Monday of the month (usually), at 20:30 CET (CEST during summer in the Northern Hemisphere). Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

Inside development

Rules

  • 🆕 feat: prevent V1 cookie format - prevents cookie sandwich attacks

CRS Sandbox

  • No news here.

Security

Plugins

  • FIXME: Please fill in

Documentation and Public Relations

Project Administration and Sponsor relationships

  • OWASP HQ still hasn't provided CRS with the balance from 2024. We are waiting on this for planning 2025. Note: Andrew Van Der Stock is aware of this.
  • Waiting for OWASP to give us access to Docker Hub org so we don't have to publish from our private accounts and can use oranisational access tokens.

Tools

  • Support for ordered list of headers in tests in go-ftw (waiting to be merged)

Containers

  • New release has a new variant for Read-only Root Filesystem (only for nginx based images for now).
  • Preparing new release with ModSecurity compiled with PCRE2

Project discussions and decisions

  • There's a long open PR for improving generic plugin testing setup: feat(ci): add lint and integration/regression test wordpress-rule-exclusions-plugin#6
  • Add common tag for all rules in a file #3991: proposal to add more tags per rule
  • Re-visiting this discussion: How does CRS want to approach modsecurity.conf-recommended in the future? The situation is clearly different, now, in 2025.
    • In the past, there was friction with the engine's previous owner (e.g. CRS advocated for enabling rule 200006 (allow JSON subtypes) by default, but we were told 'no'.)
    • We previously discussed the idea that one day CRS could handle everything from modsecurity.conf-recommended directly within CRS, so that all config would be in one place and CRS could control which "default" rules to enable/disable.
    • There is also now the potential to work with team ModSecurity to come up with a solution (e.g. keep modsecurity.conf-recommended but change the defaults to be more sensible/CRS-friendly).
    • Why re-open this discussion now? It follows on from issue 9EA-241022. We removed several default allowed content types (including some "+json" subtypes). The open question remaining was: do we want to enable 'recommended' rule 200006 by default and retire rule 200001? And, more broadly, how do we want to work with/around modsecurity.conf-recommended going forwards?

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 19 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.
@franbuehler
Copy link
Contributor
franbuehler commented Mar 3, 2025
edited
Loading

Decisions

  • Add common tag for all rules in a file #3991: proposal to add more tags per rule
    🔵 No decision taken tonight. Comments in the issue are very welcome.
  • How does CRS want to approach modsecurity.conf-recommended in the future?
    🔵 As a first step: Xanadu will open two issues in ModSecurity, one for "default rules" and one for "error handling"
  • CRS Community Call
    🔵 It's time to launch a social media campaign with as many personal / individual posts as possible

@theseion theseion closed this as completed Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theseion @fzipi @franbuehler
0