I'm trying to get the csrf rules to work with Apache 2.4.9 and mod_security.

They are not working consistently, sometimes the Javascript is appended, other times not. I have not been able to work out any pattern to this inconsistency.

In the debug log I see the rule being triggered...

[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][5] Rule 231c738: SecRule "&SESSION:CSRF_TOKEN" "@eq 1" "phase:4,auditlog,id:981145,t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> var tokenName = 'CSRF_TOKEN'; var tokenValue = '%{session.csrf_token}'; \rfunction updateTags() {         var all = document.all ? document.all : document.getElementsByTagName('*');         var len = all.length;         for(var i=0; i<len; i++) {                 var e = all[i];                                 updateTag(e, 'src');                 updateTag(e, 'href');         } } \rfunction updateForms() {         var forms = document.getElementsByTagName('form');                         for(i=0; i<forms.length; i++) {                 var html = forms[i].innerHTML;                                 html += '<input type=hidden name=' + tokenName + ' value=' + tokenValue + ' />';                 forms[i].innerHTML = html;         } } \rfunction updateTag(element, attr) {         var location = element.getAttribute(attr);         if(location != null && location != '' && i
[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Transformation completed in 1 usec.
[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Executing operator "eq" with param "1" against &SESSION:CSRF_TOKEN.
[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Operator completed in 1 usec.
[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Rule returned 0.
[05/Jun/2014:17:44:19 --0500] [hostname/sid#207e580][rid#7ffb2c002970][/WebApplicationRoot/][4] Output filter: Output forwarding complete.

but often nothing appears in the browser. Then sometimes it does.

Also if the LocationMatch is set to .* everything (.js, .css .jpg .ico) triggers the rule even though the directive says

SecResponseBodyMimeType text/plain text/html text/xml

I have to explicity match .*\.do|.*\.jsp

Any ideas?

Regards, fjh.