Hello, Chaim was kind enough to merge Achim's and my set of Header Injection Prevention rules into the v3.0.0-branch.
This was smooth, so let's try the process with a 2nd little set of rules, which I use at time. It's a set of performance rules, that do some measuring at different phases and prepare the info into variables, which can then be logged. It's more detailed then Stopwatch2 in the audit-log and the data is prepared to be pushed into the access-log (or whatever you call it for non-apache httpd servers). For the 2.2.x ruleset, this would fit into the optional_rules folder, but I am not sure about the right course of action for v3.0.0-dev. Do you plan to include an optional_rules folder eventually, or would you rather define a switch in modsecurity_crs_10_setup.conf.example, which would then enable/disable the ruleset in two files like rules/REQUEST-00-0-PERFORMANCE-START.conf rules/RESPONSE-99-9-PERFORMANCE-END.conf ? Ahoj, Christian -- Chains of habit are too light to be felt until they are too heavy to be broken. -- Warren Buffett _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
