WAF managed rule to prevent dotenv vulnerability

Question

Hi There,

Please help to identify which WAF managed rule is responsible to prevent dotenv scanning e.g.

Examples
```
/.env, /docker/.env, /anypath/.env
```
I was thinking that that this rule `AWSManagedRulesCommonRuleSet` would help, but while testing it doesn't work and allows scanning dotenv

Thanks!

Answer

Hi,

These are couple of Rule sets that do have certain calls to env coverage :
> AWSManagedRulesUnixRuleSet  
> PHP RuleSet

we were not able to find anything specific for docker. However we would recommend you to consider managed rules and a base coverage using which you can write custom rules to meet any additional coverage that may be needed.

Here is the link which talks about managed rule groups :
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-posix-os

I hope this helps.

Answer

Hi There!
Thank you for your answer!
I added 2 more AWS managed rules **AWSManagedRulesUnixRuleSet** and **AWSManagedRulesPHPRuleSet** but still can access .env

```
curl -I  https://example.com/.env
HTTP/2 404
content-type: application/json
```

Any thoughts?

WAF managed rule to prevent dotenv vulnerability

관련 콘텐츠