learning_mode
The 'learning_mode' directive enables the automatic generation of whitelisting rules based on the observed behavior of requests to improve security against XSS and SQL injection.
Description
The 'learning_mode' directive is part of the NAXSI module, which serves as an anti-XSS and SQL injection tool for NGINX. When this directive is enabled, it allows the web application firewall to enter a learning phase where it observes incoming requests and identifies patterns that are valid for the specific application. This phase helps to reduce false positives by automatically generating whitelisting rules based on the legitimate traffic patterns it detects. By analyzing what constitutes normal behavior for requests, administrators can later enforce stricter rules without accidentally blocking legitimate traffic.
It is especially beneficial for new applications or during initial deployment, as it helps define acceptable behaviors dynamically. Once the learning phase is complete, administrators can transition the server into a stricter mode where only the requests matching the generated whitelists will be accepted. This two-phase approach helps balance security and usability, making it easier for site administrators to fine-tune their rules. Additionally, while in learning mode, NAXSI logs detected requests which helps in reviewing and validating the generated whitelist rules for accuracy and necessary adjustments.
Config Example
server {
location / {
learning_mode;
# Additional NAXSI configurations
}
}Learning mode can produce a large number of whitelists if traffic is highly varied, necessitating careful review.
It is crucial to monitor logs during the learning phase to understand what rules are being generated and adjust them accordingly.
Leaving learning mode enabled for too long can lead to an overly permissive security posture if not managed due to exceptions being whitelisted.