WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes
The tx.highriskcountry_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.
As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.
Thank you for your suggestion. We are reviewing it and will get back to you.
Richard Beesley commented
Other variables in ModSecurity would also benefit from being customisable e.g. tx.allowed_methods to reflect REST, WebDAV etc.