Im in the process of testing. I have put modsecurity on my server today and on default settings with no configuration it broke passbolt.
First test, I added:
SecRuleEngine DetectionOnly
To /etc/apache2/sites-enabled/passbolt.conf
To turn modsecurity off entirely for the passbolt virtual host, and then passbolt worked normally. So on default settings modsecurity certainly breaks things.
Second test, using the instructions from here, ModSecurity Configuration for Passbolt | Michael A. Mead. I added,
<Location "/auth/verify.json">
SecRuleRemoveById 200004 942100
</Location>
<Location "/import/resources.json">
SecRuleRemoveById 942100
</Location>
<Location "/resources.json">
SecRuleRemoveById 942100
</Location>
<LocationMatch "^/resources/.*">
SecRuleRemoveById 911100 980130 942100
</LocationMatch>
<LocationMatch "^/users/.*">
SecRuleRemoveById 911100
</LocationMatch>
<LocationMatch "^/setup/completeRecovery/.*\.json">
SecRuleRemoveById 980130 911100 949110
</LocationMatch>
To /etc/apache2/sites-enabled/passbolt.conf
then restarting apache2
sudo systemctl restart apache2
and at the moment passbolt is still working as expected…
And if i try to be nasty, its 403’ing as it should
]
need a 403 page for passbolt though