ModSecurity exceptions

Have someone installed Discourse behind nginx/Apache with ModSecurity and CRS v3?
Is there any known list of rules to disable or modify for Discourse?
For now we have disabled ~11 rules and I think that is not the end.

1 Like

Why would you use that?

Discourse is open source and with way more activity than ModSecurity, which sounds like something useful when put to front some black box web software.


I promise you this will end very badly for everyone involved. It is not a good idea.

1 Like

So you are telling me that introducing WAF will only create new troubles and Discourse doesn’t contain any vulnerabilities?

1 Like

Nobody can promise will full confidence that their software doesn’t contain vulnerabilities. We do however patch security issues promptly and responsibly when reported, and have a bug bounty program.

Having said that, ModSecurity is not the answer. You will have a very hard time if you choose to do this.

1 Like

Thank you for the answers. We will consider removing ModSecurity.