From 0275c8847b3d8e2bc818d42306b0b362c68b6084 Mon Sep 17 00:00:00 2001
From: Martin Vierula <martin.vierula@trustwave.com>
Date: Tue, 21 Dec 2021 06:18:53 -0800
Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
 modsecurity.conf-recommended

---
 CHANGES                      | 2 ++
 modsecurity.conf-recommended | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGES b/CHANGES
index 69856cfe..3effd887 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 v3.x.y - YYYY-MMM-DD (to be released)
 -------------------------------------
 
+  - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+    [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
 
 
 v3.0.6 - 2021-Nov-19
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
index 6e2f1bb7..f4d50ce7 100644
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -52,6 +52,11 @@ SecRequestBodyNoFilesLimit 131072
 #
 SecRequestBodyLimitAction Reject
 
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
 # you should reject the request (when deployed in blocking mode)