Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

SilverStripe causing users to trip a mod_security rule?

Go to End



Community Member, 89 Posts

29 March 2011 at 10:58pm

I run several SilverStripe sites on my server. Ever since I launched one the sites, I've been receiving at least 2 e-mails every day, saying mod_security has permanently blocked a user accessing this site as they tripped one of the mod_security rules.

The exact log entries are:

[Wed Mar 16 13:01:08 2011]
ModSecurity: Access denied with code 501 (phase 2).
Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required.
[file "/usr/local/apache/conf/modsec2.user.conf"]
[line "38"]
[id "960032"]
[msg "Method is not allowed by policy"]
[severity "CRITICAL"]
[hostname ""]
[uri "/assets"]
[unique_id "TYC0lG17QnoAAFBVOhIAAAAF"]

Usually it blocks them after 5 of these.

It appears to be saying that the user tried to use a method other than POST, GET, OPTIONS or HEAD.

The site receives roughly 100 visits a day, and I receive at least 2 or 3 emails per day with this error. All from different users, sometimes from users I know are definitely genuine.

So I suppose I'd like to know the following:
- What is causing the users to trip this rule? Is it SilverStripe?
- What can I do to stop legitimate users getting blocked?
- Is it safe to just disable this rule?

Any advice would be much appreciated.