Menu Close
    Searching for an experienced Magento 2 Development Company ?

    Fix Custom Module’s ModSecurity Error in Magento 2

    What is ModSecurity?

    ModSecurity is an open-source web application firewall (WAF) supported by different web servers like Apache, Nginx, and IIS.
    ModSecurity also known as ModSec. It comes with a Core Rule Set (CRS) that has different rules for protecting your website from various attacks such as cross-website scripting, bad user agents, SQL injection, trojans, session hijacking, etc.
    To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a user script, and more.

    When and Why does the ModSecurity error happen?

    When you execute your controller or custom module’s code on your server. Each page request from your server or website will be checked against various rules to filter out malicious requests. Sometimes, due to poor website coding, ModSecurity may incorrectly determine that a certain request is malicious, and you can get an error.
    The error simply states that you don’t have permission to access the server or that your hosting provider is blocking that kind of requests to their servers.

    For example: In admin section in a custom form we are saving some information from an editor. When it includes data with tags. Due to ModSecurity Rules, it gives 403 Forbidden error. Please refer to the attached image.

    ModSecurity Error Image

    When you get a error due to ModSecurity when your code is valid in your custom module. Then you can disabled the ModSecurity Rule for your server or website OR you can disable the ModSecurity Rule for specific URI.
    There are different ways to disable the ModSecurity Rules according to different web servers.

    Here, I am going to tell you to do that by making some changes in .htaccess file in your root directory.

    Case 1: Disable ModSecurity for your website:
    This method is not highly recommended as it will turn off the whole mod_security Apache module for your website, which might not be good for your website’s security.

    To disable the mod_security module by using the .htaccess file do the following.

    1. Take a backup of .htaccess file from server’s root directory.
    2. Then open .htaccess file in text editor.
    3. And add following changes in .htaccess file.
    <IfModule mod_security.c>
        SecFilterEngine Off
        SecFilterScanPOST Off

    4. Restart the apache web server.

    Case 2. Disable ModSecurity for Specific URLs:
    In this method, you can disable ModSecurity for specific URLs rather than your entire website. You can specify which URLs to match via the regex in the statement as below.

    ### DISABLE mod_security firewall
    ### Some rules are currently too strict and are blocking legitimate users
    ### We only disable it for URLs that contain the regex below
    ### The regex below should be placed between "m#" and "#" 
    ### (this syntax is required when the string contains forward slashes)
    <IfModule mod_security.c>
      <If "%{REQUEST_URI} =~ m#/admin/#">
        SecFilterEngine Off
        SecFilterScanPOST Off

    After making changes in .htaccess file, restart the apache web server.
    Hope this will be helpful. Thanks 🙂

    . . .
    Discuss on Helpdesk

    Leave a Comment

    Your email address will not be published. Required fields are marked*

    Be the first to comment.

    Back to Top