Description: Defines the default list of actions, which will be inherited by the rules in the same configuration context.
Version Compatibility: v1.0+
Tinygo Compatibility: true
SecDefaultAction "phase:2,log,auditlog,deny,status:403,tag:'SLA 24/7'"
Every rule following a previous SecDefaultAction directive in the same configuration context will inherit its settings unless more specific actions are used.
Rulesets like OWASP Core Ruleset uses this to define operation modes:
- You can set the default disruptive action to block for phases 1 and 2 and you can force a phase 3 rule to be disrupted if the thread score is high.
- You can set the default disruptive action to deny and each risky rule will interrupt the connection.
**Important:**Every SecDefaultAction directive must specify a disruptive action and a processing phase and cannot contain metadata actions.