ModSecurity/rules/modsecurity_crs_30_http_policy.conf

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#%name 30 - HTTP policy enforcement
#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.

# Few applications require the breadth and depth of the HTTP protocol. On the 
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting 
# HTTP protocol usage is effective in therefore effective in blocking many 
# application layer attacks. 
#
# TODO If you are using the ModSecurity Core Ruleset template system you can set 
#      the policy limitations in the ruleset.config file. Otherwise edit this 
#      file manually to set you policy limitations.
#
# TODO Many automation programs use non standard HTTP requests. While you may 
#      want to allow some of those, try not to create exceptions only for the
#      automated program based on properties such as their source IP address or
#      the URL they access.
#

SecDefaultAction "pass,log,status:400,phase:1"

# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
#      methods, if so uncomment the line below. Otherwise you are advised 
#      to edit the line before uncommenting it.
#
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
    "phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032'"


# Restrict witch content encodings we accept.
#
# TODO Most applications support only two encodings for request bodies
#      because that is all browsers know how to produce. If you are using
#      automated tools to talk to the application you may be using other
#      content types and would want to change the list of supported encodings.
# 
#      Note though that ModSecurity parses only three content encodings:  
#      application/x-www-form-urlencoded, multipart/form-data request and 
#      text/xml. The protection provided for any other type of encoding is 
#      inferior.
#
# TODO There are many applications that are not using multipart/form-data
#      encoding (typically only used for file uploads). This content type
#      can be disabled if not used.  
#
# NOTE We allow any content type to be specified with GET or HEAD
#      because some tools incorrectly supply content type information
#      even when the body is not present. There is a rule further in
#      the file to prevent GET and HEAD requests to have bodies to we're
#      safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
#      applications running on the PocketPC and AvantGo platforms use
#      non-standard content types:
#
#      M-Business iAnywhere      application/x-mal-client-data
#      UltraLite iAnywhere       application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
    "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"

# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only 
#      this version. 
#
# NOTE Automation programs, both malicious and non malicious many times use 
#      other HTTP versions. If you want to allow a specific automated program
#      to use your site, try to create a narrower expection and not allow any 
#      client to send HTTP requests in a version lower than 1.1  
#       
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
    "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034'"

# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered unsafe
#      and not in use in any valid program. If your application uses one of 
#      these extensions, please remove it from the list of blocked extensions.
#      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
#      comment the whole rule.       
#
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|exe|key|mdb|old)$" \
    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"



# Restricted HTTP headers 
#
# TODO the list of HTTP headers below are considered unsafe for your environment.
#      If your application uses one of these directories, please remove it from 
#      the list of blocked extensions. You may need to use ModSecurity Core Rule 
#      Set Templates to do so, otherwise comment the whole rule.       
#
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
    "deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"


## -- Apache Limits ----------------------------------------------------------

# These are Apache limit directives, but we are including them here because
# they are often forgotten. If you already have these configured leave this
# section entirely commented-out. Otherwise review the limits and uncomment
# the directives.

# Maximum size of the request body.
#
# NOTE If your application allows file uploads the value below will
#      most likely be way to low.
#
#LimitRequestBody 64000

# Maximum number of request headers in a request.
#
#LimitRequestFields 32

# Maximum size of request header lines.
#
#LimitRequestFieldSize 8000

# Maximum size of the request line.
#
#LimitRequestLine 4000