I got a lot of this error on my logs in a site hosting by OVH shared PRO =>
ModSecurity: Warning.
Operator LT matched 20 at TX:inbound_anomaly_score.
[file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"]
[line "32"]
[msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Pragma Header requires Cache-Control Header for HTTP/1.1 requests."]
It seems it comes from the WAF's conf. Does anybody know how to workaround or fix those errors?
The message you get is a typical message from ModSecurity when it blocks an incoming request due to a positive match in the Mod Security ruleset.
It seems, your hoster uses the OWASP core ruleset for Mod Security and the according rule which throws the error is described as following:
This chained rule first checks for the existence of a Pragma request header. If it is found,
then it checks for a corresponding Cache-Control header (as the HTTP 1.1 RFC states clients should submit
one). If this is also missing, then it verifies the HTTP protocol version. If it is 1.1 then the rule
Generally this rule makes sense, since it blocks incoming request which are not compliant to HTTP RFC.
If you want to disable the rule, you can place the following into your webserver configuration (if your hoster allows you to edit your virtial hosts configuration):
SecRuleRemoveById 960020
Please note, that with Mod Security 2.x it is not possible to disable rules by using .htaccess files. So you must
