ModSecurity Blog: August 2003

I just came across an excellent web security book - HackNotes(tm) Web Security Pocket Reference. It is very refreshing; short but with a great deal of information and practical examples. You will find it very useful even if you think you knww everything there is to know about web security.

The new output filtering functions are now in CVS. I implemented this feature for Apache 2 first because of two reasons. First, this version supports the notion of input/output filters - making filtering work is simply a case of using the module API. In addition to that, I've been using mod_security as part of a reverse proxy for some time now and I really, really wanted it to be able to filter output.

As for Apache 1.x, well, I have a pretty good idea how I would be able to implement output filtering even without an API support. It is tricky, and I am not sure whether it will be portable (to Windows) but I'll give it a try.

To use output filtering, first turn it on by typing:

SecFilterOutput On

You are then free to apply filters against the output using a new selective filtering variable "OUTPUT". LIke this:

SecFilterSelective OUTPUT "some rude word"