-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phasing out SecStatusEngine #3122
Labels
2.x
Related to ModSecurity version 2.x
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.
According to @fzipi, this option should be disabled since a long time ago. This has been done in the default config 2 months ago by @airween (f850932).
@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.
That being said, we all pretty much agree that:
This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.
Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.
The text was updated successfully, but these errors were encountered: