On Sun, Nov 02, 2025 at 12:53:52PM +0100, Pierre Pilou wrote: > mod_unique_id provides a unique but deterministic variable based on a > timestamp and a counter. The counter requires a lock via apr_atomic_inc32 > to guarantee the correlation between requests (and could be a performance > issue). I thought this module was mainly used for correlation in a logging > system rather than for use in a security system.
I'm sure that's the main use. But entropy is very hard to come by within the Apache config / ModSecurity rule language. And this is what we came up with. For those interested, here is the rules in question: https://github.com/coreruleset/coreruleset/blob/main/rules/REQUEST-901-INITIALIZATION.conf#L400 If we could get that out of a mod_unique_id environment variable, it would be much easier. Best, Christian -- It's really hard to innovate if you're afraid to open your mouth. -- Greg Lukianoff
