jonkerw85
commented
1 year ago Sorry, wrong place for this request :).
Closed jonkerw85 closed 1 year ago
jonkerw85
commented
1 year ago Sorry, wrong place for this request :).
Is your feature request related to a problem? Please describe. I have a custom rule that blocks access to .env and .git. This is the most used rule in my AWS WAF log, while it is the last rule in mine rule list. This means that requests to these files are not blocked by the default rules that I use from AWS like AWS-AWSManagedRulesCommonRuleSet and AWS-AWSManagedRulesPHPRuleSet. I suspect also other AWS WAF users will see scans of these hidden files.
Describe the feature you'd like I would like an AWS WAF rule that will block access to hidden files like .env and .git. I think it should be a curated list, because hidden files and folders can also have a legitimate use, for example .well-known/security.txt. I suspect it should be possible for AWS to make a curated list of files that most likely should not be accessible from the internet, like the aforementioned .env file and .git folder.
Additional context For example, CloudFlare WAF has the Version Control - Information Disclosure rule (rule group: Cloudflare Specials , rule id: 100016) to block .git, and as I remember they also have a similar rule for blocking access to .env.