Has anybody tried stopping Apache Expect Header XSS vulnerability with mod_security?


I tried these two filters, but they did not work:


SecFilterSelective HEADERS_NAMES "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Charset|Keep-Alive|Connection|Referer|TE)$"





SecFilterSelective HEADERS_NAMES "(Expect)”


I tried the first the filters with Referer header and they worked fine; but somehow mod security did not stop connections coming in with Expect header and apache was still vulnerable to Expect Header XSS vulnerability.


Any comments?




- Birol