View more context



basically, my view is that you need to trust them to some degree, right? if you are letting them publish pages and upload files, you have already opened yourself up to so many attack vectors, that turning off mod_security seems to be a negligible change


if they’ve authenticated, I don’t need to block their request


if they’re not, though, that’s really when I want ModSecurity to kick in

andante could be the answer

Show 1 attachment(s)
Stack Overflow  
Disable mod_security by requested URL

I use mod_security with Apache 2.4. On this platform we have an ecommerce system using the following URL for its administrative tools: I want to achive to goals: Ac...

Hide attachment content

well crap - turning off the rules in the virtualhost config doesn’t seem to stop the request from getting blocked


Yeah there are a few ModSecurity rules that SilverStripe seems to trigger…