The Plone Security Team (via @loechel) got in contact with Michael from Cloudflare back last summer. Cloudflare implements currently a new product around their Web Application Firewall (WAF) for Cloudflare Enterprise with predefined managed rulesets for different setups. Michael asked us if we are interested in providing one or more OWASP rulesets on Github for Plone and having them included in Cloudflare as presets.
I can imagine to have Plone (and Zope) locked more if needed, like different rules for blocked ZMI access, no editors access, for Volto no access to classic and so on.
Overall I like the idea of having ready to use and maintained OWASP rulesets. Those can be used in own Apache, Nginx or IIS setups as well.
Unfortunately I am the wrong person here, because I have zero experience with OWASP rulesets and WAFs.
Who would be interested in this? I am available coordinating this, so I can schedule a meeting with all interested Plonistas and Michael, get repositories setup and so on (except that I am not available for writing and maintaining the rules).
I am sure some of you have already experience or even rulesets for Plone available. Please speak up!
We would be the first OpenSource source project available at Cloudflare and so it might be also some advertisement for Plone as the Secure CMS it is (and vice versa for Cloudflare, I know, but I think its ok).