Our primary development environments are either CF10 or Java7 (running under Tomcat7). I was wondering if anyone has experience w/the Comodo or OWASP CRS rules for either of these environments.
Focusing for a moment on the CF10 side of things, I’ve found that enabling CRS 2.2.9 can even stop a basic /server-info or /server-status call and it certainly doesn’t allow CF Administrator pages to load. Having just found Comodo free rules, I haven’t had a chance to really try them in our CF10 environment. If it does work better (as in at least not block basic CF Admin stuff), I wonder if it’s because it’s more lax in its rules, or if the rules are “better written”.
In any case, if folks have a good feel for which set of rules (mostly by default, w/out too much fussing) is “better” for a CF10 or a J7/T7 environment, I’d greatly appreciate comments here.
Also looking at a commercial product “FuseGuard” which is apparently a WAF specifically for CF, written using CFML. While I’m obviously attempting to stay in the free world of rules, I am open to any recommendations for commercial stuff too.