I'm trying to figure out how I can limit the size of files people can download from my webserver.  I would like to limit them to files <10MB.  How can I achieve this using mod_security.  Everything I see on mod_security refers to files being uploaded. 

I tries this, but it did not work:

SecRule RESPONSE_HEADERS:Content-Type "@gt 10240" phase:3,deny,log

I put this rule in my modsecurity_localrules.conf file.

Also, what does phase:1, phase:2, and phase:3 mean?

Please help!