remove DetectionOnly WAF mode
DetectionOnly was fundamentally broken in coraza-caddy (actually blocks requests via anomaly scoring), caused massive audit log flooding, and the threshold workaround had several issues: - t:none is meaningless in a SecAction (no target to transform) - SecRuleEngine directive ordering relative to SecAction is implementation- defined, making the override fragile - host.mode ?? 'DetectionOnly' fallbacks silently gave any host without an explicit mode the broken DetectionOnly behaviour Changes: - Remove DetectionOnly from UI (global settings radio, per-host engine mode) - Coerce legacy DB values of 'DetectionOnly' to 'On' in buildWafHandler - Fix fallback defaults: host.mode ?? 'DetectionOnly' → host.mode ?? 'On' - Fix action parsers: unknown mode defaults to 'On' (was 'DetectionOnly') - Fix global settings defaultValue: ?? 'DetectionOnly' → ?? 'On' (or 'Off') - Remove the fragile threshold SecAction workaround - Update types: mode is now 'Off' | 'On' throughout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
@@ -29,7 +29,7 @@ export type WafMode = "merge" | "override";
|
||||
|
||||
export type WafHostConfig = {
|
||||
enabled?: boolean;
|
||||
mode?: 'Off' | 'DetectionOnly' | 'On';
|
||||
mode?: 'Off' | 'On';
|
||||
load_owasp_crs?: boolean;
|
||||
custom_directives?: string;
|
||||
excluded_rule_ids?: number[];
|
||||
|
||||
Reference in New Issue
Block a user