I noticed the new “Extra Web Security” option when creating a new domain. (According to the knowledge base entry on the subject, this checking this box turns on something called mod_security.)
From what I can tell, mod_security can be used to block everything from cross-site scripting and SQL injection attacks to server bug exploits. But since it’s up to the server admin to decide what filters to use, I’m wondering what it’s configured to do here. This information would help me figure out two things:
- will my own scripts work with extra security enabled?
- even if I don’t enable the option now, what programming techniques I should avoid if I want to ensure that future scripts will be compatible with mod_security?
Since I haven’t seen this feature announced anywhere, maybe it’s not “official” yet.