The WAFProfile defined in a SecurityProfile for a component is the only way to assign WAFProfiles to a component
Current Behaviour
Currently when you use the OWASP configuration option under the WAF configuration it overrides the WAFProfile defined in the security profile and uses a fixed profile that the provider has deemed to implement WAF. Instead providers can offer their own WAFProfiles that might implement OWASP controls and the user can than choose to use them or make their own.
Possible Solution
Remove the OWASP configuration option from the WAF configuration and rely on using the Security Profile WAF Profile
Context
This aligns with how we handle other security controls within our solutions and creates a single configuration option which will control the WAF profile assigned to a given component.
Expected Behaviour
The WAFProfile defined in a SecurityProfile for a component is the only way to assign WAFProfiles to a component
Current Behaviour
Currently when you use the OWASP configuration option under the WAF configuration it overrides the WAFProfile defined in the security profile and uses a fixed profile that the provider has deemed to implement WAF. Instead providers can offer their own WAFProfiles that might implement OWASP controls and the user can than choose to use them or make their own.
Possible Solution
Remove the OWASP configuration option from the WAF configuration and rely on using the Security Profile WAF Profile
Context
This aligns with how we handle other security controls within our solutions and creates a single configuration option which will control the WAF profile assigned to a given component.