|
From: Ivan R. <iva...@gm...> - 2009-10-27 08:45:47
|
I have this idea that ModSecurity should not use post_read for its phase 1. Instead, phase 1 should use the same hook as phase 2. With this change, users would be able to override configuration from a <Location> or <Directory> container, removing the problem that has been causing confusion for years. The only advantage of having phase 1 early is to allow for rules that are protecting Apache itself, but I am yet to see a single such rule. Besides, we can still keep one such early phase (although we'd better move to using names for phases, instead of numbers). -- Ivan Ristic Security assessment of your SSL servers https://www.ssllabs.com/ssldb/ |
