I found CRS generated quite a lot of alerts for the requests to static content so I created a rule to just allow them. 

SecRule REQUEST_URI "^(?:/javascripts|/favicon\.ico|/images|/stylesheets|/logos|/documents|/static)" "phase:1,allow,ctl:auditEngine=off"

My assumption is the static content access should have very little chance to cause security issue of the web application. Can you please let me know if there is any potential risk? Is this a good practice in WAF?

BTW, is there a document to explain the CRS rule set in more detail?


John Jun Li

My Blog: http://www.jlisbz.com
My LinkedIn Profile: http://www.linkedin.com/in/johnjunli