Skip to content

How to Configure Apache mod_security (Web Application Firewall)

DodaTech Updated 2026-06-24 1 min read

mod_security with OWASP CRS provides web application firewall protection for Apache. Proper tuning balances security with performance. This guide walks through the specific troubleshooting steps to diagnose and resolve mod_security issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

No web application firewall (all requests processed)

Wrong: No WAF protection

SecRuleEngine On\nSecRequestBodyAccess On\nSecResponseBodyAccess Off\nInclude /etc/modsecurity/crs/crs-setup.conf\nInclude /etc/modsecurity/crs/rules/*.conf

Right: mod_security with OWASP CRS

Output

mod_security enabled\nRule engine: On\nCRS rules: loaded\nProtection: SQLi, XSS, LFI, command injection

Prevention

To avoid future issues, follow these best practices:

  • Enable mod_security with a2enmod security2
  • Install OWASP Core Rule Set for comprehensive protection
  • Set SecRuleEngine DetectionOnly initially to test rules
  • Monitor audit logs before switching to On
  • Tune rules to reduce false positives for your application

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with mod security

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world APACHE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What does OWASP Core Rule Set protect against?|||SQL Injection, cross-site scripting (XSS), local file inclusion, remote file inclusion, Command Injection, and many other attack types.
How do I handle false positives from mod_security? Set SecRuleEngine DetectionOnly, check audit logs, then add SecRuleRemoveById for specific rules that cause false positives.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro