Reference Manual: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecResponseBodyAccess
Current setting: # Allow ModSecurity to access response bodies. # You should have this directive enabled in order to identify errors # and data leakage issues. # # Do keep in mind that enabling this directive does increases both # memory consumption and response latency. # SecResponseBodyAccess On Rationale: This directive setting will most likely spark a debate. Ivan Ristic proposed that this directive initially be set to Off. His rationale was that most new ModSecurity users want to focus on inbound attacks only and ge also highlighted the memory consumption impact. While these points are valid, I believe that this directive should be initially turned on for the following reasons: 1. Many web apps have issues with leaking sensitive data and with this directive disabled, they will miss these issues. These are the issues flagged by the OWASP modsecurity_crs_50_outbound.conf file. 2. The performance impact may or may not cause issues. If these are found to be a problem, then the user can consider disabling this setting. 3. In previous versions of ModSecurity, even if the SecRuleEngine was set to DetectionOnly, ModSecurity would still block outbound response bodies that were larger than the SecResponseBodyLimit directive. This caused a lot of problems for new users so initially setting SecResponseBodyAccess off was an option to ensure that you didn't block responses initially. This has since been changed with SecResponseBodyLimitAction ProcessPartial. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
