The connection monitor in MainWP is reporting that sites are down because requests are triggering OWASP rule 920170.
This is because a GET request from MainWP has a non-zero Content-Length header, which is invalid.
While it is possible to disable this rule, this leaves servers open to a range of attacks that the rule is designed to block. I haven’t logged the additional data (yet) but if it’s meaningful, perhaps a POST request would be more appropriate.
Hey @abivia
Welcome to the community!
We will look into the details on why we are triggering that OWASP rule.
In the mean time, can you please try setting the method to HEAD and see if that works around it?
We have made some changes in the MainWP Dashboard, which should help with this.
I’m sending you a pre-release version with these changes via a direct message. Please let us know if it helps.
Re-enabling the ModSec rule and pinging sites via POST works.
Glad to hear that works.
If you get a chance, please see if the version I sent you works with the GET method without tripping ModSecurity.
The patched version works with GET requests. Thanks!
(I had to upload and unzip it in place, but I suspect that’s an issue on my end.)
Great! Thank you for testing it and letting us know.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
