[derefr]

> But if you were blocking the data from being accepted in the first place you wouldn't have that data in your database to begin with.

I mean, many of these dumb mistakes that someone would want their WAF to save them from, wouldn't be for leaks of user-provided PII, but rather for leaks of ops-provided secrets (e.g. connection credentials for upstream APIs), no?

[bastawhiz]

I don't disagree, but also blocking incoming requests that contain ops secrets gives you a great oracle for brute forcing what those secrets are!

[derefr]

I think I'd expect it to block responses containing anything matching the syntax of any ops secret.

A bit like how Github's partner leaked-secret scanning system works (where each company concerned with credential leaks, registers with Github the syntax of the credentials they issue as a regex pattern — and then Github webhooks the relevant company whenever one of their issued credentials makes it into a commit on any public repo, so that they can invalidate that secret before some attacker scrapes it out of the repo and plugs it into their botnet.)

But rather than the credential issuers registering their secret formats with the WAF, instead it'd just be your ops team telling the WAF the general-form regexes for each type of secret your team is actually using in prod. (Which might be a bit hard to determine from an ops team's position, as they may not have too many examples of a given type of secret — but it's usually a safe bet that your secret is just a concatenation of constant string parts with fixed-length baseN-alphabet parts. So in practice it's mostly just a matter of recognizing what N is [and maybe the variant alphabet in use, in the case of e.g. base32.])