From 8ffb82b213eba9a36ed4cfcc3bb385eb52d26d9e Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 8 Nov 2023 22:46:19 +0000
Subject: [PATCH] Remove Accept-Charset from forbidden request headers

Apparently gotosocial uses it for profile discovery.
---
 docker/conf/modsecurity/crs/crs-setup.conf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/docker/conf/modsecurity/crs/crs-setup.conf b/docker/conf/modsecurity/crs/crs-setup.conf
index bd7adb51..80d0a24f 100644
--- a/docker/conf/modsecurity/crs/crs-setup.conf
+++ b/docker/conf/modsecurity/crs/crs-setup.conf
@@ -428,13 +428,13 @@ SecAction \
 # Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
 # Default: /proxy/ /lock-token/ /content-range/ /if/
 # Uncomment this rule to change the default.
-#SecAction \
-# "id:900250,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
+SecAction \
+ "id:900250,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.restricted_headers=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
 
 # File extensions considered static files.
 # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
-- 
GitLab