Yesterday Magento release another patch for a critical RCE vulnerability in REST APIs.
They automatically protected Cloud customers with WAF rules on Fastly, but left a hotfix patch for other customers.
Hotfix patch that might affect complex api calls and take hours to fix and apply if endpoint is affected.
A lot of our clients have CloudFlare and we were thinking about implementing WAF rules as a temporary security measure while we’re testing and applying a proper patch.
I wasn’t able to find any information on what the WAF on Fastly looks like, our initial implementation is to block requests to block PUT, POST and PATCH requests to /rest/ endpoints that don’t contain ‘content-type’ header with ‘application/json’ value.
Would that be enough?