Disable ModSecurity for a specific URL
On a web site that is protected with ModSecurity, when admin edit HTML pages in admin area, ModSecurity falsely detect it as XSS attack.
What we can do is disable specific rules that create this false positive. But in this case, it is bceause HTML is submitted. This application normally done need HTML submitted on any other part of the site. So it is better to disable ModSecurity for the specific URL that causes this error.
To do this, add the following code to the Apache VirtualHost entry for this website.
<If "%{REQUEST_URI} =~ m#/admin_area/manage_pages.php#">
SecRuleEngine Off
</If>
<If "%{REQUEST_URI} =~ m#/admin_area/edit_announcement.php#">
SecRuleEngine Off
</If>
This will disable ModSecurity for URLs /admin_area/manage_pages.php and /admin_area/edit_announcement.php
Back to ModSecurity