Allow ModSecurity Rule Exclusion
ModSecurity is not really designed to be a plug and play solution. It almost always requires tuning. Without being to enter exclusions for certain files or paths, the only option is to disable the rule entirely, which is self defeating in most cases. An example would be WordPress. ModSecurity will flag certain actions of WordPress core (photo upload to the media gallery using admin or editing a post for example) as bad actions, meaning you either disable the rule entirely and thus the protection, or turn it on and off when you need to do those actions. Neither of those are really solutions. Without the ability to control how rules are applied, you are left with a pretty useless WAF in a lot of scenarios. Other commercially available ModSecurity productions (NGINX WAF for example) come with the ability to tune ModSecurity to your application needs. The same is needed with application gateway for WAF as well. Otherwise, I'm better off using the plain application gateway to route traffic and creating my own ModSecurity instance for WAF purposes.