ModSecurity Configuration for Passbolt

ModSecurity is a module for Apache that acts as an “application firewall.” It uses rulesets to limit what kinds of actions are allowed when accessing Apache. Potentially dangerous HTTP actions are blocked, and exceptions are made for the actions required for the application to function. ModSecurity is powered by a large collection of rules that try to filter out anything that could potentially be dangerous. Most web applications will require some rule exceptions to function. ModSecurity rules are intentionally heavy by default.

This post assumes you already have knowledge about administering Apache with ModSecurity installed. If you are running Passbolt, this configuration in your VirtualHost block should allow Passbolt to function correctly:

<Location "/auth/verify.json">
        SecRuleRemoveById 200004 942100
</Location>

<Location "/import/resources.json">
        SecRuleRemoveById 942100
</Location>

<Location "/resources.json">
        SecRuleRemoveById 942100
</Location>

<LocationMatch "^/resources/.*">
        SecRuleRemoveById 911100 980130 942100
</LocationMatch>

<LocationMatch "^/users/.*">
        SecRuleRemoveById 911100
</LocationMatch>

<LocationMatch "^/setup/completeRecovery/.*\.json">
        SecRuleRemoveById 980130 911100 949110
</LocationMatch>