Tom Van Looy
Tom Van Looy
I'm not going to send this as a patch myself because I don't need it but as an exercise I added such an option https://gist.github.com/tvlooy/8f5c9253f9e283eaee9a77e9721daa52
what I would like is have an option to handle requests with factcgi if the requested location is not a file or directory. Like in Apache: ``` RewriteCond %{REQUEST_FILENAME} !-d...
Apart from this, I don't like the way the repository is used. See this related PR #271 I will pick this up and finish that implementation as soon as possible.
Alternative is to add 'unsafe-hashes' 'sha256-3dDrThOc2zmJEhhmVkMUo23T+sG6WbaWEVfglCknVxY=' to your CSP script-src. It's not perfect but better than disabling the CSP or going for 'unsafe-inline'.
we are using Debian 11 packaged versions libapache2-mod-security2 2.9.3-3+deb11u1 modsecurity-crs 3.3.0-1+deb11u1 so indeed 2.9.3 I can send you the complete config that we have now if that helps. Should I...
this is reproducible if you add this to your config ``` SecRuleRemoveById 950100 # ``` we placed an inline comment "# for saml login" there, but that's not how the...