dd/ap-waf
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
open-appsec rules for protecting ActivityPub-based services
13 commits 1 branch 0 tags 44 KiB
Find a file
Exact
yawnbox fdb9d76867 Update conf/local_policy.yaml
2026-01-21 22:28:47 +01:00
conf Update conf/local_policy.yaml 2026-01-21 22:28:47 +01:00
LICENSE Initial commit 2026-01-12 15:23:38 +01:00
README.md Update README.md 2026-01-17 23:33:28 +01:00

README.md

ActivityPub Web Application Firewall

About

This repo documents our open-appsec rules for protecting ActivityPub-based services. open-appsec is a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) that integrates with nginx. Disobey Discotheque (DD) uses NPMplus that simplifies this integration.

Goals

DD aims to:

  1. Document our open-appsec policy for establishing trust with our communities.
  2. Share our open-appsec policy for helping other communities stay secure.
  3. Seek critical feedback from privacy, security, and legal folx concerning our policies.

Community Trust

Web Application Firewalls and other cybersecurity engineering tools often maximize logging as much data as possible. We aim to prioritize privacy engineering to respect fundamental rights including privacy rights. open-appsec policy thankfully allows turning off the most privacy-invasive logging. Our policy:

  1. Only block critical events.
  2. Only log blocked events.
  3. Therefore, we only log blocked, critical events.

While ciritcal event logs do contain personal data in the form of content shared between people and ActivityPub instances, which can include public, private, and direct messages, we've spent months tuning our policies to minimize false positives. Further, the content and metadata contained in critical alerts are no different than the content and metadata managed by our ActivityPub-based services.

DD does not copy, move, or share any of this data. We self-host on our own hardware, and no third parties have access to this data. Further, on our NPM server where open-appsec data lives, we run a cron job to wipe logs after 28 days.