OWASP CRS blocks Flarum due to `X-HTTP-Method-Override` header

Prcek

Hello guys,

when sending requests to the Flarum API (for example: /api/discussions/<id>), the Coraza WAF blocks the request because the header X-HTTP-Method-Override triggers OWASP CRS rule 920450:

HTTP header is restricted by policy (x-http-method-override)
[id "920450"]
[file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"]
[tag "paranoia-level/1"]

This causes an inbound anomaly score and the request is denied by the WAF, even though the header is used legitimately by Flarum’s API and the paranoia level is set to a very relaxed 1.

clarkwinkelmann

Prcek you mean you have this issue when using your forum from the single page app?

Or is this when performing requests from a script? (curl, etc) If this is from a script, you can of course use the actual HTTP verb instead of the X-HTTP-Method-Override header.

I'm not familiar with that firewall. Using that header in a web application seems to be a common use case to me. Surely there should be an option to completely disable this rule if you know your app relies on those headers 🤔

Prcek

SPA reports a permission issue because WAF returns a 403 error. Disabling the rule in the firewall SecRule REQUEST_URI "@beginsWith /api" "id:10001,phase:1,pass,nolog,ctl:ruleRemoveById=920450" will resolve the issue. The question is whether it would be better for Flarum to comply with OWASP security rules.