0

Trying to build a rule that will 403 any incoming traffic that doesn't contain the header X-CFKey and match a specific of X-CFKey.

I've got modsecurity testing X-CFKey value successfully but fails when the header is missing all together. I'm trying to test for the lack of presence of the header at the moment using !@contains. I am able to get @contains to pass predictably though !@contains matches on everything.

SecRule REQUEST_HEADERS_NAMES "!@contains x-cfkey" \ "id:52,log,deny,status:403,t:lowercase,msg:'Does not contain header X-CFKey'"

What am I missing here, why is ! being so unpredictable?

Alex Turner
  • 115
  • 6

1 Answers1

1

Imagine you've resolved or worked around this a while ago but just spotted this so thought I'd answer in case you or anyone else wanted to know.

It iterates through each name, and as each name doesn't contain x-cfkey that matches. Confused with the double negatives yet? :-)

The correct way of writing your rule is like this:

SecRule &REQUEST_HEADERS_NAMES:x-cfkey "@eq 0" \
    "id:52,log,deny,status:403,t:lowercase,msg:'Does not contain header X-CFKey'"

See similar check here for Cookies: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#REQUEST_COOKIES_NAMES

Barry Pollard
  • 4,461
  • 14
  • 26