search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
7.67k stars 1.54k forks source link

SecStatusEngine should be "Off" in modsecurity.conf-recommended #3085

Closed fzipi closed 2 months ago

fzipi commented 2 months ago

Describe the bug

v2 states that

# NB: As of April 2022, there is no longer any advantage to turning this
# setting On, as there is no active receiver for the information.

and has the setting turned off for in https://github.com/owasp-modsecurity/ModSecurity/blob/705002be2ba23b01bd9c895a8d01ebd9fd141ceb/modsecurity.conf-recommended#L239

But v3 has it enabled in https://github.com/owasp-modsecurity/ModSecurity/blob/4e4f3291ad2f65df7b945d3fdc4ef67d6fcc631d/modsecurity.conf-recommended#L284.

Expected behavior

Both should be in sync, and turned off.

dune73 commented 2 months ago

Thanks for pointing this out.