Kenneth, On Tue, May 17, 2016 at 12:28:54PM +0800, T. Kenneth Lojo (IRRI) wrote: > Our company has started using mod security as a web application firewall > and we used the OWASP core rule set. When we apply the CRS Facebook cannot > scrape our site and gives a 403 forbidden message. Can you provide > directions on how to correct this? Our website is http://irri.org
This is typical behaviour for a new CRS install, which blocks what seem to be legitimate requests as false positives. If you want to continue in blocking mode, you need to tune the system. Which means you need to get rid of the false positives, by writing ModSec rules telling the engine to circumvent the said offending rules. Google for ModSecurity tuning and false positives. And good luck! Christian -- First you make it, then it works, then you invite people to make it better. -- Eben Moglen, Free Software Foundation _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
