From 60be05914ce3b23bc126cfa61face7b75650448f Mon Sep 17 00:00:00 2001
From: Martin Vierula <martin.vierula@trustwave.com>
Date: Tue, 21 Dec 2021 06:30:28 -0800
Subject: [PATCH] Add SecRequestBodyJsonDepthLimit to
 modsecurity.conf-recommended

---
 CHANGES                      | 2 ++
 modsecurity.conf-recommended | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGES b/CHANGES
index 14f49ec8..d006fa23 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 DD mmm YYYY - 2.9.x (to be released)
 -------------------
 
+ * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
+   [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
  * IIS: Update dependencies for Windows build as of v2.9.5
    [@martinhsv]
 
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
index f357d95c..c84ddcea 100644
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -58,6 +58,11 @@ SecRequestBodyInMemoryLimit 131072
 #
 SecRequestBodyLimitAction Reject
 
+# Maximum parsing depth allowed for JSON objects. You want to keep this
+# value as low as practical.
+#
+SecRequestBodyJsonDepthLimit 512
+
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
 # you should reject the request (when deployed in blocking mode)