Disable ModSecurity for a specific URL

On a web site that is protected with ModSecurity, when admin edit HTML pages in admin area, ModSecurity falsely detect it as XSS attack.

ModSecurity

What we can do is disable specific rules that create this false positive. But in this case, it is bceause HTML is submitted. This application normally done need HTML submitted on any other part of the site. So it is better to disable ModSecurity for the specific URL that causes this error.

To do this, add the following code to the Apache VirtualHost entry for this website.

<If "%{REQUEST_URI} =~ m#/admin_area/manage_pages.php#">
    SecRuleEngine Off
</If>

<If "%{REQUEST_URI} =~ m#/admin_area/edit_announcement.php#">
    SecRuleEngine Off
</If>

This will disable ModSecurity for URLs /admin_area/manage_pages.php and /admin_area/edit_announcement.php

Back to ModSecurity

Need help with Linux Server or WordPress? We can help!

Leave a Reply

Your email address will not be published. Required fields are marked *