Disable mod_security with htaccess

If you too have searched online for a way to disable ModSecurity using htaccess you know the pain. Every blog/forum post is either old and not applicable anymore or unintentionally deceiving. So, to save you some time, here is the simplest way to disable ModSecurity using htaccess.

Let’s assume that you have a specific virtual host that you want to exclude from the WAF. What you have to input inside the configuration file is the following directive:

<VirtualHost *:8080>


    SecRuleEngine Off


Restart your web server and you are good to go.

Update – July 2014: ModSecurity now has “restricted” htaccess support: https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES#L358-371

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read previous post:
Honeypot Workshop @ BruCON 2013

It's that time of the year again, when security enthusiasts gather to Belgium to participate in one of the most...