1 – SPF is undergoing some production testing now with some of our clients. The current beta available for download should be usable for evaluation purposes to determine whether it addresses your problem.

We released an updated version last week which specifically addressed performance optimization for Black-List protection mode. Our current plan going forward is as follows…

Currently in Progress:
a) Beta testing to identify any bugs within current SPF functionality
b) Performance optimizations for Tamper Protection functionality

Next Phase:
c) Implement additional enhancements/features that would be useful based on user feedback

We would love your (and everyone else’s) help on items A and C. Please let us know of any existing bugs or new feature requests that you come across. The performance improvements are internal code enhancements that we are already working on, so the next release will be significantly faster.

2 – As for XSS defenses, SPF provides XSS protection in two ways:

First, it has the capability to implement Black-List regular expression patterns which can be applied to any variant of Query Strings, POSTs, and Cookies (similar to mod_security for Apache) to defend against malicious input containing XSS payload.

Second, the tamper protection mechanism in SPF also provides inadvertent protection against reflected XSS vulnerabilities. Reflected XSS vulnerabilities are not exploitable on URLs protected with SPF since the cryptographic token required for any given URL is tied to the user’s session cookie and source IP address. So in effect, even if a reflected XSS vulnerability is present it will not be exploitable.

Hopefully my comment has answered your questions. As always, please keep us posted on any feedback or additional questions you have.