We are seeking feedback from the community on the idea of re-enabling Apache.htaccess support for ModSecurity.  https://www.modsecurity.org/tracker/browse/MODSEC-58.  This functionality existed in the v1 branch of ModSecurity - http://modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/03-configuration.html#N1027D.  It was removed due to valid security concerns, namely that attackers could easily bypass the ModSecurity protections if they could just upload a .htaccess file with – SecFilterEngine Off in it…

While the security concerns are valid, we also realize that there are many, many Hosting Providers who are using old ModSecurity v1 strictly because they need this capability to allow their customers to use .htaccess files for adding exceptions.  Without this feature, end users are flooding the Help Desk/Support forums with requests to add exceptions for ModSecurity rules for their sites.

So, we are considering adding support for this feature back into ModSecurity v2.7.x.  It will NOT be enabled by default and would require the user to use a new --enable-htaccess-config configure flag and re-compiling.  Users would have to understand the tradeoffs with regards to security and allowing distributed configurtions in a multi-user environment.  

  1. Is this a feature that you need?  Please let us know if adding this capability is useful to you.  You can log into Jira and click on the "VOTE" button for the open ticket above.
  2. We are considering NOT allowing control of the SecRuleEngine or SecAuditEngine directives as those would be controlled by the main administrator.  Are there any other features that you feel should be restricted for use with .htaccess file support?
Based on community feedback, we will make a determination for adding this back in.


Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.