mod_security2 blocks saving posts

Do you guys ever test your software with mod_security2 enabled on Apache2? Because I’m seeing 403 errors when I try to save some pages. When I look at the log files, I see mod_security2 being triggered for XSS, RCE, and various other thing due to the content of the POST data. The POST data doesn’t look malicious (obviously), however it still triggers mod_security2.

Now, I can add commands for the web site config file like…

<LocationMatch "^/wp-admin/admin-ajax.php">
   SecRuleRemoveById 932130
   SecRuleRemoveById 934100
   SecRuleRemoveById 941110
   SecRuleRemoveById 941160
   SecRuleRemoveById 941370
   SecRuleRemoveById 949110
   SecRuleRemoveById 980130
   SecRuleRemoveById 941100 
   SecRuleRemoveById 941160
</LocationMatch>

But I’d rather not make my server less secure, and have you guys fix your posting technique. I would recommend that you bundle up all your POST data and encode it on the client side in a manner that mod_security2 can’t examine, and then submit the data. Decode on the server side before using, of course.

Just about any encoding technique should work, base64, rot13, whatever.