Having the Sec[Request|Response]BodyAccess deprecated

owasp-modsecurity · Dec 23, 2020 · ae128ad · ae128ad
1 parent 62d35fb
commit ae128ad
Show file tree

Hide file tree

Showing 6 changed files with 928 additions and 780 deletions.
diff --git a/modsecurity.conf-recommended b/modsecurity.conf-recommended
@@ -9,11 +9,16 @@ SecRuleEngine DetectionOnly
 
 # -- Request body handling ---------------------------------------------------
 
+#
 # Allow ModSecurity to access request bodies. If you don't, ModSecurity
 # won't be able to see any POST parameters, which opens a large security
 # hole for attackers to exploit.
 #
-SecRequestBodyAccess On
+# IMPORTANT: SecRequestBodyAccess is no longer supported. The Request Body
+#            will be processed whenever a variable depends on it.
+#
+# SecRequestBodyAccess On
+#
 
 
 # Enable XML request body parser.
@@ -146,7 +151,13 @@ SecRule TX:/^MSC_/ "!@streq 0" \
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
-SecResponseBodyAccess On
+# IMPORTANT: SecResponseBodyAccess is no longer supported. The Response Body
+#            will be processed whenever a variable depends on it.
+#
+# SecResponseBodyAccess On
+#
+#
+
 
 # Which response MIME types do you want to inspect? You should adjust the
 # configuration below to catch documents but avoid static files