While the security concerns are valid, we also realize that there are many, many Hosting Providers who are using old ModSecurity v1 strictly because they need this capability to allow their customers
to use .htaccess files for adding exceptions. Without this feature, end users are flooding the Help Desk/Support forums with requests to add exceptions for ModSecurity rules for their sites.
So, we are considering adding support for this feature back into ModSecurity v2.7.x. It will
NOT be enabled by default and would require the user to use a new --enable-htaccess-config configure flag and re-compiling. Users would have to understand the tradeoffs with regards to security and allowing distributed
configurtions in a multi-user environment.
- Is this a feature that you need? Please let us know if adding this capability is useful to you. You can log into Jira and click on the "VOTE" button for the open ticket above.
- We are considering NOT allowing control of the SecRuleEngine or SecAuditEngine directives as those would be controlled by the main administrator. Are there any other features that you feel should be restricted for
use with .htaccess file support?
Based on community feedback, we will make a determination for adding this back in.
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader