Mod_security issue with DELETE and PUT request?

Question

Hello everyone,

I build a simple API and everything is working fine on my localhost. When i placed it on my server i started getting this error when i try to do a PUT or DELETE request. I looked up the NOYB thing and i found out that i have Mod_Security enabled and that this is causing the error. I tried switching this off for the domain but either i'm doing it wrong or this is not the problem.

I hope you guys can help me out real quick here since this needs to be working before the end of the night. Any help is appreciated.

Answer 1

Although it is a bit late for your needs, here is an answer which may help others in your situation.

Fist create the tools needed to test the solution, assuming a configuration using PHP:

//server-side script test-put.php
< ?php
parse_str(file_get_contents('php://input'), $vars);
print_r($vars);

---

//client-side script send-put-req.php
< ?php 
$result = file_get_contents(
   'http://www.testsite.ro/test-put.php', 
    false, 
    stream_context_create(array(
       'http' => array(
       'method' => 'PUT' 
       )
    ))
);

print_r($result);

Then look into the error_log file (/usr/local/apache/logs/error_log) for the line of mod_security complaning every time a request comes from the script above. In my configuration I had to change this one (/usr/local/apache/conf/modsec2.user.conf):

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE|PU)T|OPTIONS|HEAD**|DELETE))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"