Thursday, January 20, 2011

How to disable mod_security in .htaccess file

SkyHi @ Thursday, January 20, 2011
It is quite common that mod_security is interfering the functions of your web applications. mod_security is installed and enabled by your web server admin but you can still disable it for your individual website using .htaccess file by following this tutorial.

“mod_security is an Apache module (for Apache 1 and 2) that provides intrusion detection and prevention for web applications.” — HowtoForge

Disable mod_security in .htaccess file

1. If you do not have one yet, an .htaccess file in the folder of your web application
2. To disable mod_security COMPLETELY, add the following line to the .htaccess file:
SecFilterEngine Off
OR, to disable HTTP POST scanning only, use the following instead:
SecFilterScanPOST Off
3. Save the file and test your web application to check whether disabling mod_security has solved your problem.

I recommend you to try SecFilterScanPOST Off first, instead of disabling mod_security completely.

My two cents

mod_security is good to protect your website but it might cause some problems for certain web applications, especially in file uploads. My server has mod_security enabled and I encountered WordPress upload error: “HTTP error”. The SecFilterScanPOST Off solved the problem immediately.
<Directory /var/www/html/phpmyadmin>
SecRuleEngine Off

<Directory "/var/www/html/phpmyadmin">
Order deny,allow
Deny from all
Allow from 192.168.2