Conversation
Covers new web shell detection rules, HTTP/3 support, HTTP/0.9 removal, restructured restricted headers (basic/extended), RE2/Hyperscan compatibility, and a 3-step methodology for auditing existing exclusions against the CRS 4 rule set. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sets refLinksErrorLevel=WARNING so cross-post ref links don't break the build when sibling posts don't yet exist on the same branch. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The author is already shown from the front matter. Adds the related-pages shortcode to cross-link migration series posts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Web shell detection is in the 955xxx range (RESPONSE-955-WEB-SHELLS.conf), not 950xxx - Rewrite the HTTP/0.9 section: the protocol enforcement mechanism and the default allowed list are identical in CRS 3 and CRS 4, so no new rule blocks HTTP/0.9. The actual change is narrower — rule 921110 (response-splitting detection) dropped its HTTP/0.9 carve-out per PR #1966 - Complete the basic restricted headers list with proxy, lock-token, content-range, and if, matching the default tx.restricted_headers_basic
fzipi
commented
Apr 22, 2026
Deploying website with
|
| Latest commit: |
272ec15
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://5fd2e179.website-1u6.pages.dev |
| Branch Preview URL: | https://blog-crs-migration-part-5.website-1u6.pages.dev |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the next entry in the CRS 3→4 migration blog series, along with its header image, and tweaks Hugo’s internal-ref error handling to accommodate missing references during publication staging.
Changes:
- Add Part 5 post: “Rule Changes” (new content page + hero image).
- Add Part 1 post: “Overview” (new content page).
- Update Hugo config to downgrade missing
ref/relreftargets from errors to warnings.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
static/images/2026/04/pexels-egorkomarov-8824026.jpg |
Adds the hero image used by the new post. |
content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md |
New Part 5 article content and internal navigation refs. |
content/blog/2026-03-30-migrating-from-crs-3-to-crs-4-part-1-overview.md |
New Part 1 article content and internal navigation refs. |
config/_default/hugo.yaml |
Changes Hugo behavior for missing internal ref targets (ERROR → WARNING). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
theseion
requested changes
Apr 23, 2026
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
theseion
requested changes
Apr 26, 2026
Agent-Logs-Url: https://github.com/coreruleset/website/sessions/ae1b0ead-82ff-4306-8a5f-cc2dd65d4f94 Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>
Contributor
📝 WalkthroughWalkthroughDocuments rule-level changes when migrating from CRS 3.3 to CRS 4.25 LTS: new/removed/renumbered rules, response-phase web‑shell detections, default HTTP version adjustments, header restriction tiers, regex engine compatibility shifts, and an exclusion-auditing workflow. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md (1)
31-31: Use version-pinnedCHANGES.mdlinks to prevent doc drift.At Line 31, Line 61, and Line 110, linking to
.../blob/main/CHANGES.mdcan silently change over time and make migration guidance inconsistent with the stated CRS baseline. Prefer linking to a release tag/commit-specificCHANGES.md.Proposed doc-link hardening
-The authoritative source for all of these changes is the [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/main/CHANGES.md) in the CRS 4.0 release. +The authoritative source for all of these changes is the [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/v4.0/CHANGES.md) in the CRS 4.0 release.-See the "drop HTTP/0.9 support" change in [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/main/CHANGES.md) (PR `#1966`). +See the "drop HTTP/0.9 support" change in [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/v4.0/CHANGES.md) (PR `#1966`).-For each rule ID you found in Step 1, search for it in [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/main/CHANGES.md). +For each rule ID you found in Step 1, search for it in [CHANGES.md](https://github.com/coreruleset/coreruleset/blob/v4.0/CHANGES.md).Also applies to: 61-61, 110-110
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md` at line 31, Replace the unstable ".../blob/main/CHANGES.md" links found at the referenced lines (31, 61, 110) with release-tagged or commit-specific URLs (e.g., ".../blob/v4.0.0/CHANGES.md" or a commit SHA) so the CHANGES.md referenced is pinned to the CRS 4.0 release; update each markdown link occurrence of ".../blob/main/CHANGES.md" accordingly to a tag/commit-specific path to prevent doc drift.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md`:
- Line 62: Fix the extra double-space typo in the user-facing sentence
describing CRS 4.25.1 and rule `920100`: locate the paragraph mentioning "CRS
4.25.1 (first quarterly LTS backport, scheduled) — request-line validation (rule
`920100`)" and change "requests will trigger" to "requests will trigger"
(remove the extra space) so the sentence reads correctly.
---
Nitpick comments:
In
`@content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md`:
- Line 31: Replace the unstable ".../blob/main/CHANGES.md" links found at the
referenced lines (31, 61, 110) with release-tagged or commit-specific URLs
(e.g., ".../blob/v4.0.0/CHANGES.md" or a commit SHA) so the CHANGES.md
referenced is pinned to the CRS 4.0 release; update each markdown link
occurrence of ".../blob/main/CHANGES.md" accordingly to a tag/commit-specific
path to prevent doc drift.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 92d2cf07-8939-48a8-bb52-668366f978a5
⛔ Files ignored due to path filters (1)
static/images/2026/04/pexels-egorkomarov-8824026.jpgis excluded by!**/*.jpg
📒 Files selected for processing (1)
content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md
…ule-changes.md Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md`:
- Line 31: Update the CHANGES.md link so it points to a stable release tag or
LTS branch instead of main: replace the current
"[CHANGES.md](https://github.com/coreruleset/coreruleset/blob/main/CHANGES.md)"
URL with a versioned URL like
"https://github.com/coreruleset/coreruleset/blob/v4.25.0/CHANGES.md" or an LTS
branch URL like
"https://github.com/coreruleset/coreruleset/blob/lts/v4.25.x/CHANGES.md"; apply
the same change to the other occurrence mentioned (around line 110) so all
CHANGES.md references use a pinned tag or LTS branch.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 74cc7a98-0b94-4b10-8787-d5333930a948
📒 Files selected for processing (1)
content/blog/2026-04-27-migrating-from-crs-3-to-crs-4-part-5-rule-changes.md
theseion
approved these changes
Apr 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit