@yes_noscript: Please use code tags instead of quote tags in the future for posting things like that, because the board will linkify things incorrectly otherwise and it's easier to read as code tags (which use monospace font) in these cases anyway (especially if there's a lot of code, where it'd be a big wall of text otherwise).
Also, your post is off-topic so I'm splitting it to its own thread.
Anyway, my comments on your ABE rules with regard to security. The rules I didn't comment on, I think will help your security somehow.
Your "maximum security" rules are just going to break everything that requires any kind of 3rd-party script (or even 3rd-party redirection), and you will probably find yourself editing that all the time to add exceptions. But hey, to each their own - if you want to do that, by all means go for it.
(I don't think they'll add anything to security over NoScript's script blocking.)
Code: Select all
# prevent CSRF
Accept from SELF
# prevent insecure resources
Deny from *mybanksite*
Your bank site doesn't have multiple subdomains that are sensitive that need to talk to each other?
I would have thought that you would need SELF++ and maybe another associated site, but if this really works for you, then you can congratulate your bank site's webmasters for good site design.
Code: Select all
# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site .youtube.com .ytimg.com .googlevideo.com
Barring Google getting hacked, these do absolutely nothing for security, however they can help protect your privacy.
If Google gets hacked only the first will help you (and only maybe at that, depending on the hack).