i installed modsecurity in web server. website contains 3rd party cookies google analytics, adroller, etc... modsecurity blocks of these cookies sometimes.
there way disable modsecurity these 3rd party cookies ?
can set cookie list required check modsecurity ?
unfortunately have see rules flag , turn off rules or turn them off particular argument. involves adding config apache config:
secruleupdatetargetbyid 981172 !request_cookies:'/^__utm/' more details of commands here: https://github.com/spiderlabs/modsecurity/wiki/reference-manual
recommendation run in detectiononly mode bit identify false positives.
i'm not aware of big list of tweaks you'd need put in place depending software use. not bad idea set up.
then again nice if rules updated common software google in mind. though nothing stop (or me!) doing ourselves suggesting fixes free core rule set people use: https://github.com/spiderlabs/owasp-modsecurity-crs
Comments
Post a Comment