ModSecurity(TM) is an open source intrusion detection and prevention engine for web applications. It can also be called an web application firewall. It operates embedded into the web server, acting as a powerful umbrella, shielding applications from attacks.
ModSecurity integrates with the web server, increasing your power to deal with web attacks. Some of its features worth mentioning are:
Request filtering; incoming requests are analysed as they come in, and before they get handled by the web server or other modules. (Strictly speaking, some processing is done on the request before it reaches ModSecurity but that is unavoidable in the embedded mode of operation.)
Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.
Understanding of the HTTP protocol; since the engine understands HTTP, it performs very specific and fine granulated filtering. For example, it is possible to look at individual parameters, or named cookie values.
POST payload analysis; the engine will intercept the contents transmitted using the POST method, too.
Audit logging; full details of every request (including POST) can be logged for forensic analysis later.
HTTPS filtering; since the engine is embedded in the web server, it gets access to request data after decryption takes place.
Compressed content filtering; same as above, the security engine has access to request data after decompression takes place.
ModSecurity can be used to detect attacks, or to detect and prevent attacks.
ModSecurity is available under two licenses. Users can choose to use the software under the terms of the GNU General Public License (http://www.gnu.org/licenses/gpl.html), as an Open Source / Free Software product. Alternatively, a variety of commercial licenses is available: end-user licenses for individual or site-wide deployment, OEM licenses for closed-source distribution with applications, web servers, or security appliances. For more information on commercial licensing please contact Thinking Stone.
ModSecurity and mod_security are trademarks of Thinking Stone.
This module would not be possible without the fine people who have created the Apache Web server, and the fine people who have spent many hours building the Apache modules I used to learn Apache module programming from.
ModSecurity is developed by Ivan Ristic and Thinking Stone.
Comments and feature requests are welcome. Please send your emails to
Please do not send support requests to my personal email address. I do spend time responding to support queries but I don't respond privately any more. Doing so prevents other users from using mail archives to find answers for themselves. If you need answers quickly or you want guaranteed response times consider purchasing commercial support from Thinking Stone.