owasp-modsecurity
Basic modsecurity setup with nginx docker image responds with HTML content but with content-type of text/plain
When testing out the basic features of modsecurity, I tried accessing a non-existing page which is included by threat scanning tools to see how modsecurity would handle it. I was happy to see that the request resulted in a generic 403 response but instead of the HTML rendering in the browser it was displayed in plain text. When checking, it looks like the content-type of the response was text/plain when it really should have been text/html.
Additionally, the server header in the response was disclosing that the underlying system was using nginx which is a concern due to disclosure of the underlying technology, and which allows attackers narrow their possible set of attacks. In the same way, the default 403 error message show below also references nginx. My recommendation, if possible, would be to configure this product to remove these headers and to use something generic which does not signal anything unique to clue an attacker in on the use of modsecurity or nginx.
Image: owasp/modsecurity-crs:nginx
Example URL: http://localhost:8080/.env
Response:
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
Hi @jpierson-at-riis,
When testing out the basic features of modsecurity, I tried accessing a non-existing page which is included by threat scanning tools to see how modsecurity would handle it. I was happy to see that the request resulted in a generic 403 response but instead of the HTML rendering in the browser it was displayed in plain text. When checking, it looks like the content-type of the response was
text/plainwhen it really should have beentext/html.
probably this is some Docker image feature, I tried this request with one of my Nginx + ModSecurity setup and got a text/html response.
> GET /.env HTTP/2
> Host: my.host.name
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
...
< HTTP/2 403
< server: nginx
< date: Tue, 30 Sep 2025 16:02:01 GMT
< content-type: text/html
< content-length: 146
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
May be you can ask coreruleset/modsecurity-crs-docker about these settings.
