I'd much rather put up some barriers that'll make it harder for the hackers. I'm not saying modsecurity (or anything else) is a perfect prevention, but combined with other things I can't see how you can argue it's _not_ useful. Are you so confident in your sanitized inputs that you run your webserver as root?

I have it deployed on sites where people are using Drupal and Wordpress with addon modules. I have at least 2 documented cases where it's stopped an exploit that would otherwise have gotten through (though I'm fairly sure the setup of the webserver would have stopped anything bad from happening)

Your last sentence seems to be suggesting I was supporting a "just chuck modsecurity in front of it and don't worry about security" attitude, which I wasn't at all. All my original reply was trying to say is that an Application Level Firewall is still a firewall.

I agree; I always design my software with as many failsafes as possible. For example, I design my applications to crash safely. But, I also try to make sure they never crash.

Similarly, web application developers need to make sure that their app is 100% safe without hacks like mod_security. But after you do that, sure, turn on mod_security. People and processes can fail, and it's good to have as many failsafes as possible.

I object to things like mod_security because, in general, people write piece of shit apps and then think they are safe because the mod has the word "security" in it. That doesn't make you safe, that makes you ignorant.

Please keep in mind that mod_security does a lot more than sanitize input. I use it to limit and control invalid http authentications, which is not natively supported in Apache.

> Are you so confident in your sanitized inputs that you run your webserver as root?

I don't see what the first half of this sentence has to do with the second. No, I will not run my webserver as root but that has literally nothing to do with sanitizing input.