azurit

> and that means thousands of exclusions to create. This is simply NOT true, you are overeacting. I'm running CRS for about 10 years now with ~740 exclusion rules.

Running on higher PL than 1 comes with FPs and exclusions. That's how it is (official from us, developers).

Why do you think sandbox needs HTTP/2?

> > Why do you think sandbox needs HTTP/2? > > I can imagine that someone wants to check the rule set against `http2`, not the previous versions. Eg. find...

> https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L241 This one can be tested also without HTTP/2 support. It's not targeting any vulnerability, just enforcing correct protocol usage.

Can you list newly blocked payloads in the PR description? Thanks.

It is possible to resolve, just put your rules into ~PL2~ phase 2, before CRS - plugin will run after ~PL1~ phase 1 rules (which includes initialization rules).

By the way, there already was a discussion about this (as it is a [known problem](https://coreruleset.org/docs/4-about-plugins/4-2-writing-plugins/#anomaly-scoring-getting-the-phases-right)) and my suggestion at that time was to separately load `REQUEST-901-INITIALIZATION.conf` so it is...

@EsadCetiner I see. Solution would be that plugin will move those rules to phase 2 using [SecRuleUpdateActionById](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#user-content-SecRuleUpdateActionById). It will move rules globally (for whole server) to phase 2 but i...

@EsadCetiner That is not accurate, see [here](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-SecRuleUpdateActionById).