npm - @abtnode/router-provider - Versions diffs - 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8 - Mend

@abtnode/router-provider 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/lib/nginx/includes/security/crs4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf ADDED Viewed

@@ -0,0 +1,1915 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+#
+# Some protocol violations are common in application layer attacks.
+# Validating HTTP requests eliminates a large number of application layer attacks.
+#
+# The purpose of this rules file is to enforce HTTP RFC requirements that state how
+# the client is supposed to interact with the server.
+# https://www.rfc-editor.org/rfc/rfc9110.html
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+#
+# Validate request line against the format specified in the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+#
+# Uses rule negation against the regex for positive security.   The regex specifies the proper
+# construction of URI request lines such as:
+#
+#   "http" "://" authority path-abempty [ "?" query ]
+#
+# It also outlines proper construction for CONNECT, OPTIONS and GET requests.
+#
+# Regular expression generated from regex-assembly/920100.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920100
+#
+# -=[ References ]=-
+# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1
+# http://capec.mitre.org/data/definitions/272.html
+#
+SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\x0b]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?)[\s\x0b]+[\.-9A-Z_a-z]+)$" \
+    "id:920100,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Invalid HTTP Request Line',\
+    logdata:'%{request_line}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Identify multipart/form-data name evasion attempts
+#
+# There are possible impedance mismatches between how
+# ModSecurity interprets multipart file names and how
+# a destination app server such as PHP might parse the
+# Content-Disposition data:
+#
+#            filename-parm := "filename" "=" value
+#
+# -=[ Rule Logic ]=-
+# These rules check for the existence of the ' " ; = meta-characters in
+# either the "name" (FILES) and "filename" (FILES_NAMES) variables.
+# HTML entities may lead to false positives, which is why
+# frequently used ones, such as "&auml;", are allowed at PL1.
+#
+# -=[ Targets, characters and html entities ]=-
+#
+# 920120: PL1 : FILES_NAMES, FILES
+#    Disallow ['\";=\\], except for frequently used HTML entities (see 920120.ra).
+#
+# 920121: PL2 : FILES_NAMES, FILES
+#    Disallow ['\";=\\]
+#
+# -=[ References ]=-
+# http://www.ietf.org/rfc/rfc2183.txt
+#
+# This rule used to use negative look-behind.
+# See https://github.com/coreruleset/coreruleset/wiki/Technical-Decisions-and-Best-Practices#avoiding-negative-look-behind-in-regular-expressions
+# for an explanation of why it now uses `!@rx` instead to avoid look-around.
+#
+# Regular expression generated from regex-assembly/920120.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920120
+#
+SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=\x5c])*$" \
+    "id:920120,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Attempted multipart/form-data bypass',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Accept only digits in content length
+#
+# -=[ Rule Logic ]=-
+# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header
+# is NOT all digits, then it will match.
+#
+# -=[ References ]=-
+# https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6
+#
+SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
+    "id:920160,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Content-Length HTTP header is not numeric',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Do not accept GET or HEAD requests with bodies
+# In RCF-9110, "A client SHOULD NOT generate content in a HEAD/GET request
+# unless it is made directly to an origin server that has previously indicated"
+#
+# -=[ Rule Logic ]=-
+# The chained rule matches when:
+# 1) If the request method is GET or HEAD
+# AND
+# 2) Header: Content-Length exists and non-zero
+#
+# -=[ References ]=-
+# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1
+# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2
+#
+SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
+    "id:920170,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'GET or HEAD Request with Body Content',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# This is a sibling of rule 920170
+#
+SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
+    "id:920171,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'GET or HEAD Request with Transfer-Encoding',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Require Content-Length or Transfer-Encoding to be provided with
+# every POST request if the protocol version is not HTTP/2 or HTTP/3.
+#
+# In case of HTTP/2, see the RFC7540 8.1 p52:
+# HTTP/2 does not use the Transfer-Encoding: chunked anymore, because
+# the underlying transport protocol is already using data frames with
+# known length.
+#
+# In case of HTTP/3, see the RFC9114 4.1:
+# Transfer codings (see Section 7 of [HTTP/1.1]) are not defined for
+# HTTP/3; the Transfer-Encoding header field MUST NOT be used.
+#
+# -=[ Rule Logic ]=-
+# This chained rule checks if the protocol is not HTTP/2 or HTTP/3,
+# then checks request method is POST, if so, it checks that a
+# Content-Length or Transfer-Encoding headers are also present.
+#
+SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
+    "id:920180,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'POST without Content-Length or Transfer-Encoding headers',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_METHOD "@streq POST" \
+        "chain"
+        SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
+            "chain"
+            SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \
+                "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length
+# header field in any message that contains a Transfer-Encoding header
+# field.
+#
+# Related to 920170, 920171 and 920180.
+#
+SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
+    "id:920181,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Content-Length and Transfer-Encoding headers present',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Range Header Check
+#
+# RFC7233 2.1 p6:
+# "A byte-range-spec is invalid if the last-byte-pos value is present
+# and less than the first-byte-pos."
+#
+# -=[ Rule Logic ]=-
+# This rule compares the first and second byte ranges and flags
+# when the first value is greater than the second.
+#
+# -=[ References ]=-
+# https://datatracker.ietf.org/doc/html/rfc7233
+# https://seclists.org/fulldisclosure/2011/Aug/175
+#
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
+    "id:920190,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Range: Invalid Last Byte Value',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule TX:2 "@lt %{tx.1}" \
+        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Broken/Malicious clients often have duplicate or conflicting headers
+# Automated programs and bots often do not obey the HTTP RFC
+#
+# -=[ Rule Logic ]=-
+# This rule inspects the Connection header and looks for duplicates of the
+# keep-alive and close options.
+#
+# -=[ References ]=-
+# https://datatracker.ietf.org/doc/html/rfc7233
+#
+SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \
+    "id:920210,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Multiple/Conflicting Connection Header Data Found',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Check URL encodings
+#
+# -=[ Rule Logic ]=-
+# There are two different chained rules.    We need to separate them as we are inspecting two
+# different variables - REQUEST_URI_RAW and REQUEST_BODY.   For REQUEST_BODY, we only want to
+# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
+#
+# We exclude the last path segment from validation because it could be a file name, which could
+# easily contain a '%' character that is not part of a URI encoded sequence.
+#
+# -=[ References ]=-
+# http://www.ietf.org/rfc/rfc1738.txt
+#
+# -=[ Example payload ]=-
+# http://localhost/?s=a%20b%20c%'/
+# reason: %'/ is not a valid url encoding
+#
+# Regular expression generated from regex-assembly/920220-chain1.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920220-chain1
+#
+SecRule REQUEST_URI_RAW "@rx \x25" \
+    "id:920220,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'URL Encoding Abuse Attack Attempt',\
+    logdata:'%{REQUEST_URI_RAW}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/72',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
+        "capture,\
+        chain"
+        SecRule TX:1|TX:2 "@validateUrlEncoding" \
+            "t:none,t:urlDecodeUni,\
+            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+# Validate URI encoding of the last path segment, only if it does not look like a file name.
+# A file name could easily contain a '%' character that is not part of a URI encoded sequence.
+#
+# Regular expression generated from regex-assembly/920221.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920221
+#
+SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
+    "id:920221,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,\
+    msg:'URL Encoding Abuse Attack Attempt',\
+    logdata:'%{REQUEST_BASENAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/72',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule TX:0 "@validateUrlEncoding" \
+        "t:none,t:urlDecodeUni,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Check UTF encoding
+# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
+# it will result in false positives.
+#
+# -=[ Rule Logic ]=-
+# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
+# variable in the crs-setup.conf file.
+#
+SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
+    "id:920250,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'UTF8 Encoding Abuse Attack Attempt',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
+        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Disallow use of full-width unicode as decoding evasions may be possible.
+#
+# -=[ Rule Logic ]=-
+# This rule looks for full-width encoding by looking for %u followed by 2 'f'
+# characters and then 2 hex characters. It is a vulnerability that affected
+# IIS circa 2007.
+# The rule will trigger on %uXXXX formatted chars that are full or half
+# width, as explained above. This %uXXXX format is passed as a raw parameter
+# and is (seemingly only) accepted by IIS (5.0, 6.0, 7.0, and 8.0). Other
+# webservers will only process unicode chars presented as hex UTF-8 bytes.
+#
+# -=[ References ]=-
+# http://www.kb.cert.org/vuls/id/739224
+# https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html
+# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719
+#
+# Regular expression generated from regex-assembly/920260.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920260
+#
+SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
+    "id:920260,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Unicode Full/Half Width Abuse Attack Attempt',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-iis',\
+    tag:'platform-windows',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/72',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+#
+# Restrict type of characters sent
+#
+# This is a rule with multiple stricter siblings that grows more
+# restrictive in higher paranoia levels.
+#
+# -=[ Rule Logic ]=-
+# This rule uses the @validateByteRange operator to restrict the request
+# payloads.
+#
+# -=[ Targets and ASCII Ranges ]=-
+#
+# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
+#       ASCII 1-255 : Full ASCII range without null character
+#
+# 920271: PL2 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
+#       ASCII 9,10,13,32-126,128-255 : Full visible ASCII range, tab, newline
+#
+# 920272: PL3 : REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES and REQUEST_BODY
+#       ASCII 32-36,38-126 : Visible lower ASCII range without percent symbol
+#
+# 920273: PL4 : ARGS, ARGS_NAMES and REQUEST_BODY
+#       ASCII 38,44-46,48-58,61,65-90,95,97-122
+#       A-Z a-z 0-9 = - _ . , : &
+#
+# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer, Cookie
+#               and Structured Header booleans
+#       ASCII 32,34,38,42-59,61,65-90,95,97-122
+#       A-Z a-z 0-9 = - _ . , : & " * + / SPACE
+#
+# REQUEST_URI and REQUEST_HEADERS User-Agent, Referer and Cookie are very hard
+# to restrict beyond the limits in 920272. Structured Header booleans are
+# validated separately in 920275.
+#
+# 920274 generally has few positives. However, it would detect rare attacks
+# on Accept request headers and friends.
+SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
+    "id:920270,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request (null character)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Do not accept requests without common headers.
+# All normal web browsers include Host, User-Agent and Accept headers.
+# Implies either an attacker or a legitimate automation client.
+#
+#
+# Missing/Empty Host Header
+#
+# -=[ Rule Logic ]=-
+# These rules will first check to see if a Host header is present.
+# The second check is to see if a Host header exists but is empty.
+#
+SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    "id:920280,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Request Missing a Host Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
+    skipAfter:END-HOST-CHECK"
+SecRule REQUEST_HEADERS:Host "@rx ^$" \
+    "id:920290,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Empty Host Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+SecMarker "END-HOST-CHECK"
+#
+# Empty Accept Header
+#
+# -=[ Rule Logic ]=-
+# This rule checks if an Accept header exists, but has an empty value.
+# This is only allowed in combination with the OPTIONS method.
+# Additionally, there are some clients sending empty Accept headers.
+# They are covered in another chained rule checking the User-Agent.
+# This technique demands a separate rule to detect an empty
+# Accept header if there is no user agent. This is checked via
+# the separate rule 920311.
+#
+# Exclude some common broken clients sending empty Accept header:
+# "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0" (CRS issue #515)
+# "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0" (CRS issue #366)
+#
+# -=[ References ]=-
+# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366
+#
+SecRule REQUEST_HEADERS:Accept "@rx ^$" \
+    "id:920310,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Request Has an Empty Accept Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    chain"
+    SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
+        "chain"
+        SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
+            "t:none,\
+            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
+#
+# This rule is a sibling of rule 920310.
+#
+SecRule REQUEST_HEADERS:Accept "@rx ^$" \
+    "id:920311,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Request Has an Empty Accept Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    chain"
+    SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
+        "chain"
+        SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+            "t:none,\
+            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
+#
+# Empty User-Agent Header
+#
+# -=[ Rule Logic ]=-
+# This rules will check to see if the User-Agent header is empty.
+#
+# Note that there is a second rule, 920320, which will check for
+# the existence of the User-Agent header.
+#
+SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
+    "id:920330,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Empty User Agent Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
+#
+# Missing Content-Type Header with Request Body
+#
+# -=[ Rule Logic ]=-
+# This rule will first check to see if the value of the Content-Length header is
+# non-equal to 0. The chained rule is then checking the existence of the
+# Content-Type header. The RFCs do not state there must be a
+# Content-Type header. However, a request missing a Content-Header is a
+# strong indication of a non-compliant browser.
+#
+# Also, omitting the CT header allows to bypass the Request Body Processor
+# unless you set the optional tx.enforce_bodyproc_urlencoded variable.
+#
+# Note: in default settings, this behavior only provides a NOTICE and will
+# not cause a request to be blocked. However, in paranoia level 2 or
+# higher, we run sibling 920341, which DOES block these requests.
+#
+# -=[ References ]=-
+# http://httpwg.org/specs/rfc7231.html#header.content-type
+SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
+    "id:920340,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Request Containing Content, but Missing Content-Type header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    chain"
+    SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
+# Check that the host header is not an IP address
+# This is not an HTTP RFC violation but it is indicative of automated client access.
+# Many web-based worms propagate by scanning IP address blocks.
+#
+# -=[ Rule Logic ]=-
+# This rule triggers if the Host header contains an IPv4 or IPv6 address, optionally
+# extended with a port number. In the case of IPv6 we covering the address with square
+# brackets and the address without square brackets.
+#
+# The regex consists of three main parts and said optional group:
+#
+# * IPv4 address
+# * IPv6 address with square brackets
+# * IPv6 address without square brackets
+# * optional colon and port number
+#
+# Please note that the regex does not test the validity of the IP addresses.
+# It just tries to detect a potential IP address.
+#
+# -=[ References ]=-
+# https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
+#
+SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \
+    "id:920350,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Host header is a numeric IP address',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+# In most cases, you should expect a certain volume of each a request on your
+# website. For example, a request with 400 arguments, can be suspicious.
+# This file creates limitations on the request.
+#
+# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
+#           Note that most of the rules are commented out by default.
+#           Uncomment the rules you need
+#
+#
+# Maximum number of arguments in request limited
+#
+SecRule &TX:MAX_NUM_ARGS "@eq 1" \
+    "id:920380,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Too many arguments in request',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule &ARGS "@gt %{tx.max_num_args}" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+## -- Arguments limits --
+#
+# Limit argument name length
+#
+SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
+    "id:920360,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Argument name too long',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
+        "t:none,t:length,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Limit argument value length
+#
+# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+#
+SecRule &TX:ARG_LENGTH "@eq 1" \
+    "id:920370,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Argument value too long',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule ARGS "@gt %{tx.arg_length}" \
+        "t:none,t:length,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Limit arguments total length
+#
+SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
+    "id:920390,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Total arguments size exceeded',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# -- File upload limits --
+#
+# Individual file size is limited
+SecRule &TX:MAX_FILE_SIZE "@eq 1" \
+    "id:920400,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Uploaded file size too large',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
+        "chain"
+        SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \
+            "t:none,\
+            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Combined file size is limited
+#
+SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
+    "id:920410,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Total uploaded files size too large',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict which content-types we accept.
+#
+# Restrict Content-Type header to established patterns.
+#
+# This provides generic allow list protection against vulnerabilities like
+# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638).
+#
+# Examples of allowed patterns:
+# - text/plain
+# - text/plain; charset="UTF-8"
+# - multipart/form-data; boundary=----WebKitFormBoundary12345
+# - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
+# - application/*+json
+SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
+    "id:920470,\
+    phase:1,\
+    block,\
+    t:none,t:lowercase,\
+    msg:'Illegal Content-Type header',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+# In case Content-Type header can be parsed, check the mime-type against
+# the policy defined in the 'allowed_request_content_type' variable.
+# To change your policy, edit crs-setup.conf and activate rule 900220.
+SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
+    "id:920420,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Request content type is not allowed by policy',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.content_type=|%{tx.0}|',\
+    chain"
+    SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
+        "t:lowercase,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict charset parameter within the content-type header
+#
+SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
+    "id:920480,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Request content type charset is not allowed by policy',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.content_type_charset=|%{tx.1}|',\
+    chain"
+    SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \
+        "t:lowercase,\
+        ctl:forceRequestBodyVariable=On,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict charset parameter inside content type header to occur max once.
+#
+SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
+    "id:920530,\
+    phase:1,\
+    block,\
+    t:none,t:lowercase,\
+    msg:'Multiple charsets detected in content type header',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict protocol versions.
+#
+SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
+    "id:920430,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'HTTP protocol version is not allowed by policy',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict file extension
+#
+SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
+    "id:920440,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,\
+    msg:'URL file extension is restricted by policy',\
+    logdata:'%{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.extension=.%{tx.1}/',\
+    chain"
+    SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
+        "t:none,t:lowercase,\
+        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Backup or "working" file extension
+# example: index.php~, /index.php~/foo/
+#
+SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
+    "id:920500,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Attempt to access a backup or working file',\
+    logdata:'%{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restricted HTTP headers
+#
+# -=[ Rule Logic ]=-
+# The use of certain headers is restricted. They are listed in two variables:
+# - TX.restricted_headers_basic: Known security risks, always forbidden (rule
+#                                920450)
+# - TX.restricted_headers_extended: Possible false positives, possible security
+#                                   risks, may be forbidden (rule 920451)
+#
+# The headers are transformed into lowercase before the match. In order to make
+# sure that only complete header names match, the names in the
+# TX.restricted_headers_* variables are wrapped in slashes. This guarantees that
+# the Range header (which becomes /range/) will not match the restricted
+# /content-range/ header, for example.
+#
+# This is a chained rule, where the first rule fills a set of variables of the
+# form TX.header_name_<RULE_ID>_<HEADER_NAME>. The second rule is then executed
+# for all variables of the form TX.header_name_<RULE_ID>_<HEADER_NAME>.
+#
+# As a consequence of the construction of the rule, the alert message and the
+# alert data will not display the original header name Content-Range, but
+# /content-range/ instead.
+#
+# This rule has a stricter sibling, 920451, which matches against the variable
+# TX.restricted_headers_extended. It handles deprecated headers that are still
+# in use (so false positives are possible, hence unsuitable for blocking in a
+# default paranoia level 1 installation) and headers with possible security
+# risks.
+#
+# -=[ References ]=-
+# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy)
+# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
+#
+SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
+    "id:920450,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\
+    logdata:'Restricted header detected: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
+    chain"
+    SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \
+        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Rule against CVE-2022-21907
+# This rule blocks Accept-Encoding headers longer than 100 characters.
+# The length of 100 is a heuristic based on the length of values from
+# the RFC (https://datatracker.ietf.org/doc/rfc9110/)
+# and the respective values assigned by IANA
+# (https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding).
+# Concatenating all valid values for Accept-Encoding (without q=0.5) resulted in a value of 93:
+# aes128gcm, br, compress, deflate, exi, gzip, identity, pack200-gzip, x-compress, x-gzip, zstd
+#
+# This rule has a stricter sibling: 920521
+#
+SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
+    "id:920520,\
+    phase:1,\
+    block,\
+    t:none,t:lowercase,t:length,\
+    msg:'Accept-Encoding header exceeded sensible length',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Restrict response charsets that we allow.
+# The following rules make sure that the response will be in an ASCII-compatible charset that
+# phase 4 rules can properly understand and block.
+#
+#
+# Some servers rely on the request Accept header to determine what charset to respond with.
+# This rule restricts these to familiar charsets.
+#
+# Regular expression generated from regex-assembly/920600.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920600
+#
+SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
+    "id:920600,\
+    phase:1,\
+    block,\
+    t:none,t:lowercase,\
+    msg:'Illegal Accept header: charset parameter',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Unicode character bypass check for non JSON requests
+# See reported bypass in issue:
+# https://github.com/coreruleset/coreruleset/issues/2512
+#
+SecRule REQBODY_PROCESSOR "!@streq JSON" \
+    "id:920540,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Possible Unicode character bypass detected',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/72',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
+        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded.
+# CRS rules generally do not check REQUEST_URI_RAW, but some servers accept the fragment as part of the URL path/query.
+# This creates false negative evasions.
+#
+SecRule REQUEST_URI_RAW "@contains #" \
+    "id:920610,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Raw (unencoded) fragment in request URI',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+#
+# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
+# Content-Type confusion poses a significant security risk to a web application. It occurs when
+# the server and client have different interpretations of the Content-Type header, leading to
+# miscommunication, potential exploitation and WAF bypass.
+#
+# Using Apache, when multiple Content-Type request headers are received, the server combines them
+# into a single header with the values separated by commas. For example, if a client sends multiple
+# Content-Type headers with values "application/json" and "text/plain", Apache will combine them
+# into a single header like this: "Content-Type: application/json, text/plain".
+#
+# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each
+# header as a separate entity without combining them. So, if a client sends multiple Content-Type
+# headers, Nginx will keep them separate, maintaining the original values.
+#
+SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
+    "id:920620,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Multiple Content-Type Request Headers',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+#
+# -=[ Rule Logic ]=-
+#
+# Check the number of range fields in the Range request header.
+#
+# An excessive number of Range request headers can be used to DoS a server.
+# The original CVE proposed an arbitrary upper limit of 5 range fields.
+#
+# Several clients are known to request PDF fields with up to 62 range
+# fields. Therefore the standard rule does not cover PDF files. This is
+# performed in two separate (stricter) siblings of this rule.
+#
+# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs
+# 920201: PL2: Limit of 62 range header fields for PDFs
+# 920202: PL4: Limit of 5 range header fields for PDFs
+#
+# -=[ References ]=-
+# https://httpd.apache.org/security/CVE-2011-3192.txt
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
+    "id:920200,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Range: Too many fields (6 or more)',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_BASENAME "!@endsWith .pdf" \
+        "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
+#
+# This is a sibling of rule 920200
+#
+SecRule REQUEST_BASENAME "@endsWith .pdf" \
+    "id:920201,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Range: Too many fields for pdf request (63 or more)',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
+        "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
+SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
+    "id:920230,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'Multiple URL Encoding Detected',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/120',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
+#
+# PL2: This is a stricter sibling of 920270.
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
+    "id:920271,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request (non printable characters)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+#
+# Missing User-Agent Header
+#
+# -=[ Rule Logic ]=-
+# This rules will check to see if there is a User-Agent header or not.
+#
+SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
+    "id:920320,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Missing User Agent Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
+#
+# PL2: This is a stricter sibling of 920120.
+#
+SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
+    "id:920121,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Attempted multipart/form-data bypass',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+#
+# PL2: Block on Missing Content-Type Header with Request Body
+# This is a stricter sibling of rule 920340.
+#
+# -=[ References ]=-
+# http://httpwg.org/specs/rfc7231.html#header.content-type
+SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
+    "id:920341,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Request Containing Content Requires Content-Type header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+#
+# PL2: This is a stricter sibling of 920450.
+#
+SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
+    "id:920451,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\
+    logdata:'Restricted header detected: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
+    chain"
+    SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \
+        "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+#
+# Check URL encodings
+#
+# See comment on rule 920220.
+#
+SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \
+    "id:920240,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'URL Encoding Abuse Attack Attempt',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153/267/72',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_BODY "@rx \x25" \
+        "chain"
+        SecRule REQUEST_BODY "@validateUrlEncoding" \
+            "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+#
+# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range
+#
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
+    "id:920272,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request (outside of printable chars below ascii 127)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+#
+# Missing Accept Header
+#
+# This rule has been moved to PL3
+#
+# -=[ Rule Logic ]=-
+# This rule generates a notice if the Accept header is missing.
+# RFC 7231 does not enforce the use of the Accept header.
+# It is just typical browser behavior to send and it can indicate a malicious client.
+#
+# Notice: The rule tries to avoid known false positives by ignoring
+# OPTIONS requests, CONNECT requests, and requests coming from known
+# offending User-Agents via two chained rules.
+# As ModSecurity only reports the match of the last matching rule,
+# the alert is misleading.
+#
+SecRule &REQUEST_HEADERS:Accept "@eq 0" \
+    "id:920300,\
+    phase:1,\
+    pass,\
+    t:none,\
+    msg:'Request Missing an Accept Header',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'NOTICE',\
+    chain"
+    SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
+        "chain"
+        SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \
+            "t:none,\
+            setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'"
+#
+# PL3: The little known x-up-devcap-post-charset request header can be used to submit
+# a request with a different encoding as an alternative to the charset parameter in
+# the Content-Type header. This can be used to circumvent charset restrictions on
+# the Content-Type header in ASP.NET.
+# Note that this only works in combination with a User-Agent prefix.
+#
+# This rule is based on a blog post by Soroush Dalili at
+# https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/
+#
+SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
+    "id:920490,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'language-aspnet',\
+    tag:'platform-windows',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
+        "t:none,\
+        setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+#
+# Cache-Control Request Header allow list
+#
+# -=[ Rule Logic ]=-
+# This rule aims to strictly allow list the Cache-Control request header
+# values and to blocks all violations. This should be useful to intercept
+# "bad bot" and tools that impersonate a real browser but with wrong request
+# header setup.
+#
+# The regular expression used on this rule tries to match multiple directives
+# in a single value, for example: "max-stale=1, max-age=2". This leads us to
+# use a regular expression that accepts a trailing comma to keep compatibility
+# with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, "
+#
+# Moreover, this regular expression allows duplicate directives sequence like:
+# "max-stale, max-stale=1, no-cache, no-cache".
+#
+# Standard Cache-Control directives that can be used by the client:
+#   - max-age=<seconds>
+#   - max-stale[=<seconds>]
+#   - min-fresh=<seconds>
+#   - no-cache
+#   - no-store
+#   - no-transform
+#   - only-if-cached
+#
+# References:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+# - https://regex101.com/r/CZ0Hxu/22
+#
+SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
+    "id:920510,\
+    phase:1,\
+    block,\
+    t:none,\
+    msg:'Invalid Cache-Control request header',\
+    logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'header-allowlist',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
+        "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+#
+# This rule checks for valid Accept-Encoding headers
+#
+# This rule has a less strict sibling: 920520
+#
+# Regular expression generated from regex-assembly/920521.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 920521
+#
+SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" \
+    "id:920521,\
+    phase:1,\
+    block,\
+    t:none,t:lowercase,\
+    msg:'Illegal Accept-Encoding header',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/3',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/255/153',\
+    tag:'PCI/12.1',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+#
+# This is a stricter sibling of rule 920200
+#
+SecRule REQUEST_BASENAME "@endsWith .pdf" \
+    "id:920202,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Range: Too many fields for pdf request (6 or more)',\
+    logdata:'%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'WARNING',\
+    chain"
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
+        "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'"
+#
+# This is a stricter sibling of 920270.
+#
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \
+    "id:920273,\
+    phase:2,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request (outside of very strict set)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
+#
+# This is a stricter sibling of 920270.
+#
+SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \
+    "id:920274,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request headers (outside of very strict set)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
+#
+# This is a stricter sibling of 920270.
+# The headers of this rule are Structured Header booleans, for which only `?0`,
+# and `?1` are inconspicuous.
+# Structured Header boolean: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-19#section-3.3.6
+# Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user
+# Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile
+#
+SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \
+    "id:920275,\
+    phase:1,\
+    block,\
+    t:none,t:urlDecodeUni,\
+    msg:'Invalid character in request headers (outside of very strict set)',\
+    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
+# -=[ Abnormal Character Escapes ]=-
+#
+# [ Rule Logic ]
+# Consider the following payload: arg=cat+/e\tc/pa\ssw\d
+# Here, \s and \d were only used to obfuscate the string passwd and a lot of
+# parsers will silently ignore the non-necessary escapes. The case with \t is
+# a bit different though, as \t is a natural escape for the TAB character,
+# so we will avoid this (and \n, \r, etc.).
+#
+# This rule aims to detect non-necessary, abnormal escapes. You could say it is
+# a nice way to forbid the backslash character where it is not needed.
+#
+# This is a new rule at paranoia level 4. We expect quite a few false positives
+# for this rule and we will later evaluate if the rule makes any sense at all.
+# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs
+# to be useful and false positives remain at a reasonable level, then it might
+# be shifted to PL3 in a future release, where it would be the only rule
+# covering the backslash escape.
+#
+# We forbid backslashes followed by a list of basic ascii characters - unless
+# the backslash is preceded by another backslash.
+#
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
+SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \
+    "id:920460,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:htmlEntityDecode,t:lowercase,\
+    msg:'Abnormal character escapes in request',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/4',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/153/267',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT"