Has anybody tried stopping Apache Expect Header XSS vulnerability with mod_security?
I tried these two filters, but they did not work:
SecFilterSelective HEADERS_NAMES "!^(Host|User-Agent|Accept|Accept-Encoding|Accept-Language|Accept-Charset|Keep-Alive|Connection|Referer|TE)$"
SecFilterSelective HEADERS_NAMES "(Expect)”
I tried the first the filters with Referer header and they worked fine; but somehow mod security did not stop connections coming in with Expect header and apache was still vulnerable to Expect Header XSS vulnerability.