fix: wp-json記事投稿がModSecurity CRSに誤検知ブロックされる問題を修正#4
Open
makoto-kamimura wants to merge 1 commit into
Open
Conversation
…coring Authenticated POST/PUT requests to /wp-json/wp/v2/posts and /pages carry rich article content (multiple paragraphs, Mermaid diagrams, links) that was accumulating enough CRS anomaly score to exceed ANOMALY_INBOUND and get blocked with a 403 before reaching WordPress, even for legitimate requests authenticated with an application password. Add a targeted exclusion in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf that only skips CRS for POST/PUT to those endpoints when an Authorization header is present; GET requests, unauthenticated requests, and all other paths (wp-login.php, wp-admin, etc.) stay fully covered.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/wp-json/wp/v2/postsにPOSTすると、手前のnginx + OWASP ModSecurity CRSに403 Forbiddenで誤検知ブロックされることを確認しました<p>/<a>タグ、日本語の記号など)ではCRSの匿名スコアがANOMALY_INBOUND(=10) のしきい値を超えてしまい、認証済み(アプリケーションパスワード使用)の正規リクエストまでブロックされていましたplatform/nginx_data/modsec-rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.confが空だったため、wp-json REST APIに対する除外設定が一切ない状態でしたPOST/PUTに限定し、/wp-json/wp/v2/postsと/wp-json/wp/v2/pages(記事・固定ページ書き込みエンドポイント)に対してのみCRS検査を除外するルールを追加しましたwp-login.phpやwp-adminなど他のパスは引き続きCRSのフル検査対象のままですTest plan
docker compose up -d --remove-orphansで nginx コンテナを再起動し、設定が反映されることを確認nginx -t相当のヘルスチェックが通ることを確認(既存のhealthcheckで自動検証)/wp-json/wp/v2/postsに複数段落+Mermaid図を含む本文をPOSTし、201 Createdになることを確認wp-login.phpへのXSS/SQLiパターンを含むリクエストが引き続きCRSでブロックされることを確認(除外範囲が広すぎないことの確認)Generated by Claude Code