Make the wording of the OWASP action documentation more approachable. #1619
Conversation
| import ActionExamples from "/snippets/traffic-policy/actions/owasp-crs-request/examples/index.mdx"; | ||
| import ActionVariablesDescription from "/snippets/traffic-policy/common/action-variables-description.mdx"; | ||
| import { YouTubeEmbed } from "/snippets/YouTubeEmbed.jsx"; | ||
| import { YouTubeEmbed } from "/snippets/TrafficPolicy.jsx"; |
There was a problem hiding this comment.
| import { YouTubeEmbed } from "/snippets/TrafficPolicy.jsx"; | |
| import { YouTubeEmbed } from "/snippets/YouTubeEmbed.jsx"; |
Typo?
There was a problem hiding this comment.
Eep, yes, sorry! I had played with creating a custom component that would allow us to specify the Traffic Policy file just once, and then it would automatically render the two-pane YAML/JSON variant. I hit snags that I didn't know how to overcome, though.
There was a problem hiding this comment.
Yeah mintlify has some limitations that I hope to work around soon by creating exactly the component you're describing
|
|
||
| <YouTubeEmbed videoId="HHxj5VGFTEA" title="Block web attacks with ngrok's OWASP CRS Request" /> | ||
|
|
||
| The `owasp-crs-request` action enables rule processing on incoming HTTP |
There was a problem hiding this comment.
I think this paragraph should be moved to the top since the page is primarily about the OWASP request action, not OWASP in general. I do think the paragraph you have explaining OWASP and CRS is good, but feels less appropriate as the intro
| requests to your endpoint. We recommend you also enable the [OWASP CRS Response | ||
| action](/traffic-policy/actions/owasp-crs-response/) to block attacks where | ||
| it's the response that is malicious. |
There was a problem hiding this comment.
| requests to your endpoint. We recommend you also enable the [OWASP CRS Response | |
| action](/traffic-policy/actions/owasp-crs-response/) to block attacks where | |
| it's the response that is malicious. | |
| requests to your endpoint. To use rule processing to block malicious HTTP _responses_, enable the [OWASP CRS Response | |
| action](/traffic-policy/actions/owasp-crs-response/). | |
| <Tip> | |
| We recommend using both actions. | |
| </Tip> |
Condensed this a bit and changed the language to keep the emphasis on the difference here, so readers who are skimming can understand what we're saying a little easier. Also added a callout to really highlight that we recommend using both.
| The `owasp-crs-response` action enables rule processing on incoming HTTP | ||
| requests to your endpoint. We recommend you also enable the [OWASP CRS Request | ||
| action](/traffic-policy/actions/owasp-crs-request/) to block attacks where | ||
| it's the request that is malicious. |
There was a problem hiding this comment.
| The `owasp-crs-response` action enables rule processing on incoming HTTP | |
| requests to your endpoint. We recommend you also enable the [OWASP CRS Request | |
| action](/traffic-policy/actions/owasp-crs-request/) to block attacks where | |
| it's the request that is malicious. | |
| The `owasp-crs-response` action enables rule processing on incoming HTTP | |
| requests to your endpoint. To use rule processing to block malicious HTTP _requests_, enable the [OWASP CRS Request | |
| action](/traffic-policy/actions/owasp-crs-request/) action. | |
| <Tip> | |
| We recommend using both actions. | |
| </Tip> |
Similar change to what I suggested in the request page.
| [OWASP Top Ten](https://owasp.org/www-project-top-ten/), with a minimum of false alerts. | ||
| CRS provides protection against many common attack categories, including SQL Injection, | ||
| Cross Site Scripting, Local File Inclusion, etc. | ||
| [OWASP](https://owasp.org/) stands for the Open Web Application Security |
There was a problem hiding this comment.
Same as the above, I think the other paragraph should be the intro and this should be the second paragraph
sg-writer
added
docs/content
Co-authored-by: SG <[email protected]>
3 participants
The OWASP action documentation pages felt a bit impenetrable, the very first sentence you encountered was:
In this PR I'm trying to make it a bit more clear what these actions do for folks that don't know what OWASP CRS means, or haven't heard of ModSecurity (I've removed mention of this entirely because it's not relevant for use with ngrok.)