Description

Modsecurity flags the following content type header

Content-Type: multipart/form-data; boundary="----=_Part_0_1679309349.1580725603211"

The boundary should be allowed to have quotes.

Audit Logs / Triggered Rule Numbers

MULTIPART_BOUNDARY_QUOTED
MULTIPART_DATA_BEFORE

The above rule have been triggered from 200003.

2020/02/03 10:26:43 [warn] 49#49: *2962 [client XX.XX.XXX.XX] ModSecurity: Access denied with code 400 (phase 2). Matched "Operator Eq' with parameter 0' against variable MULTIPART_STRICT_ERROR' (Value: 1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "61"] [id "200003"] [rev ""] [msg "Multipart request body failed strict validation: \x0aPE 0, \x0aBQ 1, \x0aBW 0, \x0aDB 1, \x0aDA 0, \x0aHF 0, \x0aLF 0, \x0aSM 0, \x0aIQ 0, \x0aIP 0, \x0aIH 0, \x0aFL "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "XX.XX.XXX.XX"] [uri "/api/my-test"] [unique_id "158072560325.818190"] [ref "v660,1"], client: XX.XX.XXX.XX, server: api-server.com, request: "POST /api/my-test?hello HTTP/1.1", host: "api-server.com"

Your Environment

• CRS version (v3.0.0)
• ModSecurity version (3.0.2)
• Web Server and version (Nginx 1.15.9)

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Sorry for the inconvenience, but the rule 200003 is not part of CRS, it is one of the recommended rules by ModSecurity itself. It is based on variables written by ModSecurity and thus the engine itself.

I'm closing this here and ask you to go over to the ModSec project.