Hi Ryan, You are right that SecResponseBodyAccess invites for a debate.
In the discussion about the SecRuleEngine setting you took the hat of the business people who do not want the WAF to interfere with the legit traffic. However, this can happen here when you have large downloads on the website. A lot of corporate websites have a few presentations, pdf reports, way too large images or even a video or two. This is all slowed down very much and if you have a lot of these, then the whole webserver / reverse proxy can be affected. It gets a lot worse when you have a B2B application with legitimate queries, that return 80MB responses... I have seen a surprisingly big number of these applications. If you have some experience, then you know how to deal with this. But as this is the default setting, you need to think hard. I guess one can come to a reasonable compromise with SecResponseBodyLimit and SecResponseBodyLimitAction, but I worry if users will understand the level of protection they get: You would set the BodyAccess to on but then limit the effect afterwards. Best, Christian _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
