WAF Rule Management UX
WAF Rule Management UX
Problem to solve
Users want to use custom rule sets for the WAF, but are unable to do so with the current implementation. We will offer a minimal way to define custom rules from a Configuration page.
Intended users
Proposal
Create visual assets, including wireframes, to understand how we may offer customization of the WAF rules.
What we think we know:
- Most users are comfortable saying what they want to add or remove, but will not know the ModSecurity specific way to add/edit the individual rules themselves.
Possible solutions:
- Pure text files (my-waf-rules.txt)
- A form with fields to add rules text and generate my-waf-rules.txt for the user
- Radio buttons to enable sets of rules (e.g. the Sqreen example is a good one)
- Interactive "wizard" like experience (copy/ paste text into the file
- Download rule file -> save in the repo -> commit w/ Git to repo
- Specify file location
- We could save the file in their repo and they could read the rules there
- Create an MR against the repo (like Secure stage security scans)
Questions to answer:
- Which potential solutions do we think users would prefer? (We won't have time or bandwidth to test prototypes, so we'll make an educated guess for MVC.)
Success Criteria
-
Answer the above question -
Attach at least one potential flow (wireframes) for configuring WAF rules (and any other supporting design assets)
/cc @andyvolpe @vkarnes
Edited by Rémy Coutable