Make sure that the JSON-RPC API can be protected by a WAF

semiotic-ai / timeline-aggregation-protocol

A fast, efficient and trust-minimized unidirectional micro-payments system.

Apache License 2.0

14 stars 3 forks source link

Make sure that the JSON-RPC API can be protected by a WAF #81

Closed aasseman closed 1 year ago

aasseman commented 1 year ago

Implemented some basic protections in #84

aasseman commented 1 year ago

Done some research on the subject. Here is some WAF functionality we may recommend:

DDoS protection, rate limiting etc.
Geofencing, depending on the operator's jurisdiction.
HTTP response inspection. In particular, we could be specific with the HTTP error codes we are returning, so that rules specific to the aggregator could be added to the WAF.
JSON request and response inspection. We could validate the inputs, as well as parse JSON-RPC error codes in the response.

ColePBryan commented 1 year ago

@aasseman what is the status of this issue?

aasseman commented 1 year ago

The best we can do is write guidelines for gateway operators in the documentation. Unless we assume that the (non-exhaustive) recommendations above should be obvious.

ColePBryan commented 1 year ago

Do you think it's in the expected scope of the documentation? Or is it something someone running the aggregator would be expected to know?