road to v0.0.1 🛸

[fabriziosalmi]

First of all thank You all for such kind support on checking, fixing and sharing golden suggestions 🍻

Here the prioritized tasks for v0.0.1: repository management and code improvements (fixes and easy wins).

Repository management

Release Tags:

• I will start using release tags for v0.0.1 and all subsequent releases.
• Tags will follow the semantic versioning format (e.g., v0.0.1, v0.1.0, v1.0.0).

Versioning:

• I will add a version variable to the code that reflects the current release tag.
• This version will be included in logs and the metrics output.

Change Logs:

• For v0.0.1, I'll manually update the README.md to include the changes in this release.
• For future releases, I'll explore using a CHANGELOG.md file and possibly automation tools to generate it.

Dependency Management:

• For v0.0.1 there are no extra dependencies required for this update. I will keep tracking all dependencies and update go.mod and go.sum accordingly.

Backward Compatibility:

I am committed to maintaining backward compatibility between releases as much as possible by respsecting such guidelines:

• Avoiding removal of existing configuration options and rules.
• Introducing new features as optional additions.
• Providing clear warnings for deprecated features, before removing them in future releases.
• Clearly documented breaking changes to help ease the transition.
• For version 0.0.1 there should be no breaking changes to the existing implementation.

Note

• Limitations: In certain situations a breaking change might be necessary (e.g. a security vulnerability). In that case I will provide clear information about those changes as early as possible._
• Config Checks: I recommend that users check the configuration before updating. For version 0.0.1 there are no major configuration changes that would require any checks.

Code improvements

Response Handling (Phases 3 and 4)

• Fix the logic to process response headers and body. ✅
• Fix rules that can target response headers and body using RESPONSE_HEADERS and RESPONSE_BODY targets. ✅
• Ensure rule matching and blocking work as expected on the response. ✅

Customizable Blocked Response:

• Add configuration options to customize the HTTP status code and the response body when a request is blocked. ✅
• Support both static text responses and loading the response content from files. ✅

Metrics Improvement:

• Improve the JSON format of the metrics if any changes are easy to do without breaking existing integrations. ✅

Log Improvements and Redaction:

• Add process time for requests and WAF processing features. ✅
• Add a configuration option to redact sensitive data (query parameters, specific headers) from the logs. ✅

Rate Limiting match_all_paths:

• Add a configuration option for match_all_paths in the rate limiting block to enable rate limiting all paths except the ones specified. ✅

Error Handling:

• Improve logging of errors during config parsing, rule loading, and other critical processes. ✅
• Add a warning log message if a configuration file is missing, but don't block the server from starting. ✅
• Ensure no errors will crash the server and that those are handled gracefully. ✅

Version Control:

• Add a version variable and include the version in the logs, and /metrics output. ☑️ <---- this and 0.0.1 will be out :)

Others:

• Add and update existing go tests ✅
• Add e2e tests ☑️
• Create initial benchmarks and reports (security, performances) ✅
• Update and improve the documentation ☑️
• Forgotten milestones and minor improvements 👯

[l0uisgrange]

It is a wonderful project! I’m sick of depending on the giants out there for my WAF. Thank you! I hope this is the beginning of a long and fun journey 🤩

[fabriziosalmi]

Some minor glitches still in the todo list, I expect to release v0.0.1 on the next weekend ☕