Stack Overflow
Stack Overflow

Questions tagged [mod-security]

ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.

ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.

As of December 27, 2015 the latest stable release of ModSecurity is version 2.9.0.

Useful links:

476 questions
6
votes
3 answers

Webpage returning HTTP 406 error only when connecting from Qt

I have a test page setup at http://mlecturedownload.com/test-qt.php that has the following code:
gsgx
  • 12,020
  • 25
  • 98
  • 149
5
votes
2 answers

ModSecurity (in DetectionOnly mode) is not giving useful Logs/Warnings

I have configured modsecurity-nginx connector on Kubernetes Nginx Controller. Currently, my objective to use ModSecurity WAF is to implemented in DetectionOnly mode as I don't want to start blocking everything right away. So to fulfil that I used…
Shourabh
  • 51
  • 3
5
votes
2 answers

Ubuntu 'Failed to restart apache2.service: Unit apache2.service not found.'

I am using Google Cloud Platform to test out ModSecurity and I am using a tutorial to launch it. However, I need to restart Apache every once in a while. I'm using Ubuntu 18.04. I write sudo systemctl restart apache2, but an error comes back and it…
David Babablola
  • 313
  • 2
  • 3
  • 11
5
votes
2 answers

python web scraping request error(mod security)

I am new and I try to grap source code of an Web page for tutorial.I got beautifulsoup install,request install. At first I want to grap the source.I am doing this scraping job from "https://pythonhow.com/example.html".I am not doing anything illegal…
özgür Sanli
  • 103
  • 1
  • 8
5
votes
1 answer

How to write mod_security friendly PHP code?

I made a theme in WordPress which hit the mod_security rule on HostGator and gave 403 error. I contacted people there(at HostGator) and they fixed it for me. But I don't want my theme to work like this. I just wanted to know if there are any…
kapeels
  • 1,692
  • 4
  • 30
  • 52
5
votes
2 answers

How to disable mod_security and mod_security2 in .htaccess

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is…
Pawel
  • 16,093
  • 5
  • 70
  • 73
5
votes
1 answer

Installing ModSecurity with OWASP for Windows

I am trying to install ModSecurity in Windows to help protect my Coldfusion/Railo websites. I downloaded the MSI and installed it but it does not seem to block SQL injection when I tested to make sure it was working. My question is, does anybody…
user1709730
  • 141
  • 2
  • 10
5
votes
2 answers

configure error page to show the log of modsecurity

I looking for a way to make the msg information of the rule (which rule had been triggered) to appears in the error and/or audit log files and sent back to the client in response headers. I understand that there is phase "msg" but it doesn't sent…
Vladi Sandler
  • 47
  • 1
  • 2
4
votes
3 answers

Apache log line too much long

I have Cloud Foundry and php app with mod-sec. The app receives from the browser a json POST. The post contains several images coded in base 64 and Apace cut this in some lines: 2020-05-01T13:49:31.69+0200 [APP/PROC/WEB/0] OUT 11:49:31 httpd modsec…
yalabef21
  • 151
  • 9
4
votes
1 answer

ModSecurity SecRule to exclude an URL from any check

ModSecurity has a false positive trying to open the url: https://www.galgani.it/solitudine-contesti-virtuali-internet-facebook-social-network-smartphone/solitudine-e-contesti-virtuali.html It returs a 403 error. It's only a simple static html page…
Francesco Galgani
  • 6,137
  • 3
  • 20
  • 23
4
votes
1 answer

Why ModSecurity OWASP rule blocks .axd files?

I've been going over WAF findings in an ASP.NET application. WAF is ModSecurity with OWASP CRS. One of the findings is: URL file extension is restricted by policy, Rule ID 920440 and it fired at files WebResource.axd and ScriptResource.axd. I did…
Michał Górnicki
  • 253
  • 1
  • 13
4
votes
2 answers

Modsecurity & Apache: How to limit access rate by header?

I have both Apache and Modsecurity working together. I'm trying to limit hit rate by request's header (like "facebookexternalhit"). And then return a friendly "429 Too Many Requests" and "Retry-After: 3". I know I can read a file of headers…
Luciano Fantuzzi
  • 916
  • 12
  • 23
4
votes
1 answer

Compiling ModSecurity in NGINX OSS

I am trying to compile ModSecurity for the Nginx OSS web server. I have followed all of the instructions from their "Quick Start Guide", but am running into an issue. After linking up the new module, the config test fails. Error output from…
Andrew Brown
  • 5,330
  • 3
  • 22
  • 39
4
votes
3 answers

Modsecurity: Excessive false positives

I've just set up Apache modsecurity on a server, and in principle it works well, but I am getting rather a lot of false positives. I'm using the OWASP ModSecurity Core Rule Set (CRS), essentially "out of the box". I'm running in "self-contained"…
Sommel
  • 198
  • 3
  • 6
4
votes
1 answer

mod_security / Atomicorp Basic WAF: URI in POST

I use mod_security with the WAF Basic Rules by Atomicorp.com on my Apache webserver. It prevents me from doing a POST of a form, containing an URI. For example, if I POST https://example.com/demo via form, there a 403 Forbidden error occures. This…
Richard
  • 2,840
  • 3
  • 25
  • 37
1
2
3
31 32