The WAF Dilemma

How I lowered false positives with NGINX App Protect without compromising security.

We are always facing the dilemma "Security vs Usability" in the world of security. This becomes painfully obvious once you start implementing a WAF. I have now implemented a wide range of WAF secur...
Updated Aug 27, 2025
Version 2.0
application delivery
nap
njs
security
zamroni777's avatar
zamroni777
Icon for MVP rankMVP
Aug 15, 2025

to avoid waf sqli, xss, etc. false positives of http post payload, the app developer can encode the payload using common base64 then app server can easily decode it back.
https://developer.mozilla.org/en-US/docs/Web/API/Window/btoa

encrypting the payload using light cipher such as aes128 is also possible.
javascript can do aes encryption and it will be hardware accelerated.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt
https://en.wikipedia.org/wiki/AES_instruction_set

 

lnxgeek's avatar
lnxgeek
Icon for MVP rankMVP
Aug 20, 2025

Great input 👍

My problem is usually that I don't have access to the app owners or it is standard software stack where this is not an options.

Even if you pack your payload you will still have issues with the base64 character set which in itself creates a lot of false positive.