Directives
This section contains the rule directives supported by WGE. Among these, only SecRule and SecAction are runtime directives; all others are configuration-phase directives that take effect immediately upon parsing. For directives like SecRuleRemoveById that modify the state of specific rules, they must be loaded after the corresponding rules.
Some directives are not implemented in WGE. Most of these can be parsed normally by WGE (such as SecArgumentSeparator), but their functionality is not implemented - this will not cause crashes or errors. All subpages will indicate whether a directive is implemented; please check before use.
Additionally, WGE has added some directives not present in ModSecurity (such as SecRuleUpdateOperatorById) for more convenient usage.
| Keyword | Description |
|---|---|
Include | Include an external configuration file into the current configuration |
SecAction | Unconditionally execute the specified actions |
SecArgumentSeparator | Specify the parameter separator character |
SecArgumentsLimit | Configure the maximum number of acceptable parameters |
SecAuditEngine | Configure the audit logging engine |
SecAuditLog | Configure the path to the primary audit log file |
SecAuditLog2 | Configure the path to the secondary audit log file |
SecAuditLogDirMode | Configure the directory permission mode for audit log directories |
SecAuditLogFileMode | Configure the file permission mode for audit log files |
SecAuditLogFormat | Configure the format of the audit log output |
SecAuditLogParts | Configure which parts of a transaction should be recorded |
SecAuditLogRelevantStatus | Configure relevant HTTP status codes for audit logging |
SecAuditLogStorageDir | Configure the directory for storing audit log files in concurrent mode |
SecAuditLogType | Configure the type of audit logging mechanism |
SecCollectionTimeout | Configure the expiration time for persistent collections |
SecComponentSignature | Add component signature information to the log |
SecCookieFormat | Configure the cookie parsing format version |
SecDataDir | Configure the persistent data storage directory |
SecDebugLog | Configure the debug log file path |
SecDebugLogLevel | Configure the verbosity level of the debug log |
SecDefaultAction | Define the default action list for a specific phase |
SecGeoLookupDb | Configure the geolocation database file path |
SecHttpBlKey | Configure the HTTP Blacklist API key for @rbl usage |
SecMarker | Create a rule marker for the skipAfter action |
SecPcreMatchLimit | Configure the maximum number of PCRE regex matches |
SecPcreMatchLimitRecursion | Configure the PCRE regex recursion depth limit |
SecRemoteRules | Load rule configuration from a remote HTTPS server |
SecRemoteRulesFailAction | Configure how to handle remote rule loading failures |
SecRequestBodyAccess | Configure whether the WAF can access request body content |
SecRequestBodyInMemoryLimit | Configure the maximum size of request body buffered in memory |
SecRequestBodyJsonDepthLimit | Configure the maximum parsing depth for JSON objects |
SecRequestBodyLimit | Configure the maximum acceptable request body size |
SecRequestBodyLimitAction | Configure action when request body exceeds limit |
SecRequestBodyNoFilesLimit | Configure the maximum request body size without file uploads |
SecResponseBodyAccess | Configure whether the WAF can access response body content |
SecResponseBodyLimit | Configure the maximum response body buffer size |
SecResponseBodyLimitAction | Configure action when response body exceeds limit |
SecResponseBodyMimeType | Configure which response body MIME types should be inspected |
SecResponseBodyMimeTypesClear | Clear all response body MIME type configurations |
SecRule | Define a security rule |
SecRuleEngine | Configure the operating mode of the rule engine |
SecRuleRemoveById | Remove rules by ID |
SecRuleRemoveByMsg | Remove rules by msg content |
SecRuleRemoveByTag | Remove rules by tag |
SecRuleScript | Define rule logic using Lua scripts |
SecRuleUpdateActionById | Update a rule’s actions by ID |
SecRuleUpdateOperatorById | Update the operator of a rule by ID (WGE extension) |
SecRuleUpdateOperatorByTag | Update the operator of rules by tag (WGE extension) |
SecRuleUpdateTargetById | Update a rule’s variable list by ID |
SecRuleUpdateTargetByMsg | Update a rule’s variable list by message content |
SecRuleUpdateTargetByTag | Update a rule’s variable list by tag |
SecStatusEngine | Configure the status engine for runtime statistics |
SecTmpDir | Configure the temporary file storage directory |
SecTmpSaveUploadedFiles | Configure whether to save uploaded files to temp directory |
SecUnicodeMapFile | Configure the Unicode mapping file path and code page |
SecUploadDir | Configure the storage directory for file uploads |
SecUploadFileLimit | Configure the maximum number of files per upload request |
SecUploadFileMode | Configure the permission mode for uploaded files |
SecUploadKeepFiles | Configure whether to keep uploaded files after processing |
SecWebAppId | Configure the web application identifier |
SecXmlExternalEntity | Configure whether XML external entity processing is allowed |