LearningMode

The LearningMode directive is designed to enhance the NGINX Anti XSS & SQL Injection (NAXSI) module by allowing it to enter an automatic learning mode. During this mode, NAXSI analyzes incoming requests to identify legitimate traffic patterns and behaviors specific to the application it is protecting. This includes gathering data about allowed input formats and typical queries that the application receives. As a result, the module can generate necessary whitelisting rules based on observed behaviors, making it easier for administrators to manage security without having to manually specify all acceptable inputs.

When enabled, the LearningMode facilitates a DROP-by-default strategy prevalent in NAXSI, which blocks most unsolicited or potentially harmful traffic. The directive accomplishes this by observing and collecting details from legitimate requests and compiling them into whitelisting rules. These rules serve as a basis for the firewall's behavior, helping to reduce false positives in security alerts. This adaptive approach is beneficial for dynamic or evolving applications, where traffic patterns may change over time, and it helps to mitigate risks associated with serious vulnerabilities like XSS and SQL Injection attacks.

The effectiveness of the LearningMode directive significantly depends on its duration and the range of requests analyzed during the learning phase. It is crucial for administrators to monitor the generated whitelists regularly and refine them as necessary to maintain optimal protection against malicious attempts while allowing valid user requests.