Having the Sec[Request|Response]BodyAccess deprecated

2025-11-17 01:51:52 +03:00 · 2020-12-23 12:31:07 -03:00
parent 62d35fbf97
commit ae128ad94d
6 changed files with 1086 additions and 938 deletions
--- a/modsecurity.conf-recommended
+++ b/modsecurity.conf-recommended
@@ -9,11 +9,16 @@ SecRuleEngine DetectionOnly

 # -- Request body handling ---------------------------------------------------

+#
 # Allow ModSecurity to access request bodies. If you don't, ModSecurity
 # won't be able to see any POST parameters, which opens a large security
 # hole for attackers to exploit.
 #
-SecRequestBodyAccess On
+# IMPORTANT: SecRequestBodyAccess is no longer supported. The Request Body
+#            will be processed whenever a variable depends on it.
+#
+# SecRequestBodyAccess On
+#


 # Enable XML request body parser.
@@ -146,7 +151,13 @@ SecRule TX:/^MSC_/ "!@streq 0" \
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
-SecResponseBodyAccess On
+# IMPORTANT: SecResponseBodyAccess is no longer supported. The Response Body
+#            will be processed whenever a variable depends on it.
+#
+# SecResponseBodyAccess On
+#
+#
+

 # Which response MIME types do you want to inspect? You should adjust the
 # configuration below to catch documents but avoid static files