Hello Everyone,
It's going to be abit long this time and I hope you guys would find it meaningful.
I consistently execute security assessments to improve the overall security posture from time to time. Most of the assessments are self-check assessments and pentests. Somehow - this time, i decided to utilise external reputable sources which was two reputable cyber security risk assessment platforms via their provided online scanners and somehow found that the cyber security score which consists of best practices in place hits a satisfactory level [901 out of 950 and A out of A+] and based on my checking both of this platforms consistently update their threat inteligence as well as security checkpoints regularly which means most of the new type of threats and attacks as well as CWEs are included and measured as well.
*The nature of tests is over the Best Security Practices as this scanners doesn't include outer layer blockage such as WAF Blockage into accountability. So, the WAF was temporarily bypassed for them to scan and to provide an accurate result over the practices.
This has been a practice where all traditional security practices are fulfilled and then blockage through waf is done as an additional layer so that in any event anything goes wrong at the core aspect such as maybe accidentally indexed something that shouldn't be, it would still remain inaccessible as the WAF is blocking access to the source in addition.
Well, i conduct all as per what i know and i am not a security expert nor a expert but then i conduct based on my own logical & critical thinking + Analysis conducted = verified via sources on the internet and sometimes, i seek for open opinions from subject matter or community experts as how as i usually start a discussion here and also as this at below.
No System is 100% Secure
Being alligned to the self-initiative to consistently and persistently improve the security level and posture i came to a point where i was thinking:
1] Do restricting accesss to this certain sensetive paths as below related to flarum script is a valid security strengthening move?
*The Blockage would be done at Cloudflare WAF Custom Rule area or in other words i prefer to call it as at the F.L.O.D [First Layer of Defense] - due to its nature of blocking before it even reach or fetch from the origin. Upon the implementation of this block, whenever someone tries to access those at above paths, they would be returned with a block page or 403/forbidden error code.
I had manually inspected all this paths and it returns with 403/forbidden at my origin which is good as i expect it to be restricted at the origin as per how it should, but, somehow looking forward to restrict it via the F.L.O.D WAF as well.
Why such move?
Let's make the debug path as an example. In any event i am encountering an issue with my script i would be enabling debug mode which consequently would provide informations through the path. I wanna block those information from being publicly accessible by others therefore restricting it at the F.L.OD WAF would give me an advantage of which only i would be able to view those informations as my ASN+IP is the only one whitelisted to access it whereas anyone else would experience a block page or 403/forbidden error code.
Security is essential but the use-case and functionality of the system is even more important.
2] So, what would be impact rate of executing as shared above, Any trade-off with the functionality such as any element of my flarum could probably break or slow down?
3) It comes to threat defense model somehow, but then, how efficient would probably this move be?
I am entirely open to criticism, constructive feedbacks as well as ideas.
Appreciate the feedback from all respected members and the executors [builders] of this amazing flarum.
Thanks in advance.
