From 75bb34957bb723e91c8834ae9013659589016a4f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 13 Jun 2026 21:33:01 +0000 Subject: [PATCH 01/15] Add var/www/html/.user.ini: set PHP upload_max_filesize=100M, post_max_size=105M --- var/www/html/.user.ini | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 var/www/html/.user.ini diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini new file mode 100644 index 0000000..7daef83 --- /dev/null +++ b/var/www/html/.user.ini @@ -0,0 +1,33 @@ +; ============================================================================= +; PHP-FPM per-directory upload size overrides +; Deployed to: /var/www/html/.user.ini +; +; PHP-FPM scans for .user.ini files in the directory containing each requested +; PHP file and all parent directories up to the document root. Settings placed +; here apply to every PHP request served from /var/www/html/, covering all +; WordPress admin, REST API, and front-end upload flows. +; +; NOTE: upload_max_filesize and post_max_size are PHP_INI_PERDIR entries that +; CANNOT be changed at runtime via ini_set() — they must live here (or in +; php.ini / a FPM pool .conf). Web access to this file is blocked by the +; Apache common-settings.conf deny rule. +; +; These values mirror the nginx per-route body-size limits: +; /wp-admin/update.php → client_max_body_size 64m +; /wp-admin/async-upload.php → client_max_body_size 100m +; /wp-json/wp/v2/media → client_max_body_size 100m +; +; upload_max_filesize: individual file cap — set to 100M to cover the media +; upload ceiling (videos, audio). Gutenberg plugin ZIPs (~35 MB) are well +; inside this value. +; +; post_max_size: total POST body cap — must exceed upload_max_filesize to +; leave room for multipart boundary, form fields, and chunk overhead. +; 105M provides ~5M of headroom above the 100M file cap. +; +; Cloudflare hard cap: 100 MB per request (free/pro plans). No value here +; should exceed that limit. +; ============================================================================= + +upload_max_filesize = 100M +post_max_size = 105M From 5993429517b524e47e7cb698b45355d09d3bed4e Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:16:50 -0700 Subject: [PATCH 02/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index 7daef83..ee21d1a 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -25,8 +25,10 @@ ; leave room for multipart boundary, form fields, and chunk overhead. ; 105M provides ~5M of headroom above the 100M file cap. ; -; Cloudflare hard cap: 100 MB per request (free/pro plans). No value here -; should exceed that limit. +; Cloudflare hard cap: ~100 MB per request (plan-dependent). Keep +; upload_max_filesize at/under that cap; post_max_size may be slightly higher +; to allow multipart overhead, but the effective request size is still capped +; upstream. ; ============================================================================= upload_max_filesize = 100M From 51002d5bd583f36f554ec0957562faf1d9e472be Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 09:17:06 -0700 Subject: [PATCH 03/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index ee21d1a..86effcb 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -8,9 +8,9 @@ ; WordPress admin, REST API, and front-end upload flows. ; ; NOTE: upload_max_filesize and post_max_size are PHP_INI_PERDIR entries that -; CANNOT be changed at runtime via ini_set() — they must live here (or in -; php.ini / a FPM pool .conf). Web access to this file is blocked by the -; Apache common-settings.conf deny rule. +; php.ini / a FPM pool .conf). Web access to this file is blocked by the +; Nginx dotfile deny (location ~ /\. { deny all; }) and by Apache +; common-settings.conf ( Require all denied). ; ; These values mirror the nginx per-route body-size limits: ; /wp-admin/update.php → client_max_body_size 64m From b837792c2014117a9ecb96ed4f82e2dba79a355f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 16:23:40 +0000 Subject: [PATCH 04/15] Exempt WordPress upload routes from UA/geo 403 blocking --- nginx/snippets/spx-upload-limits.conf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index 0718c5a..a0770d9 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -2,6 +2,10 @@ # Shared WordPress upload route overrides # Keep this snippet included in every HTTPS WordPress vhost server block. # ----------------------------------------------------------------------------- +# +# NOTE: These upload handlers are intentionally exempt from $block_reason-based +# UA/geo blocking to avoid false-positive 403s on legitimate upload clients. +# Method restrictions and origin authentication still apply upstream. # WordPress plugin/theme ZIP uploader — raised body limit for this single # handler only. update.php processes plugin and theme uploads submitted via @@ -10,8 +14,6 @@ # than on the broad /wp-admin/ prefix so all other admin routes stay at the # safe 10m global default. location = /wp-admin/update.php { - if ($block_reason != "") { return 403; } - # 64m covers the vast majority of plugin/theme archives while remaining # well below the 100m cap used for media uploads. client_max_body_size 64m; @@ -33,8 +35,6 @@ location = /wp-admin/update.php { # WP admin async upload — POST only; uses wp_admin rate zone. location = /wp-admin/async-upload.php { - if ($block_reason != "") { return 403; } - client_max_body_size 100m; if ($request_method = OPTIONS) { @@ -54,8 +54,6 @@ location = /wp-admin/async-upload.php { # WP REST API media — GET/HEAD for reads, POST for uploads, OPTIONS for CORS. location ~* ^/wp-json/wp/v2/media { - if ($block_reason != "") { return 403; } - client_max_body_size 100m; if ($request_method = OPTIONS) { From 176d534ecbd54427fb4b04288aeaa0b916faf04d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 16:24:15 +0000 Subject: [PATCH 05/15] Clarify upload-route security note in nginx snippet --- nginx/snippets/spx-upload-limits.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index a0770d9..f6004ba 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -5,7 +5,8 @@ # # NOTE: These upload handlers are intentionally exempt from $block_reason-based # UA/geo blocking to avoid false-positive 403s on legitimate upload clients. -# Method restrictions and origin authentication still apply upstream. +# Method restrictions and rate limits still apply in these handlers, while +# upload authorization is still enforced by WordPress upstream. # WordPress plugin/theme ZIP uploader — raised body limit for this single # handler only. update.php processes plugin and theme uploads submitted via From 1b1828759de3899297081e0b5e1398708ee3eed0 Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 10:26:17 -0700 Subject: [PATCH 06/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index 86effcb..de8307b 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -8,9 +8,9 @@ ; WordPress admin, REST API, and front-end upload flows. ; ; NOTE: upload_max_filesize and post_max_size are PHP_INI_PERDIR entries that -; php.ini / a FPM pool .conf). Web access to this file is blocked by the -; Nginx dotfile deny (location ~ /\. { deny all; }) and by Apache -; common-settings.conf ( Require all denied). +; must be configured via php.ini or an FPM pool .conf (not via ini_set()). +; Web access to this file is blocked by the Nginx dotfile deny (location ~ /\. { deny all; }) +; and by Apache common-settings.conf ( Require all denied). ; ; These values mirror the nginx per-route body-size limits: ; /wp-admin/update.php → client_max_body_size 64m From ced68b6062e495e5cec11328ca91f125540c76a2 Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 10:30:37 -0700 Subject: [PATCH 07/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index de8307b..0f72b2f 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -3,9 +3,9 @@ ; Deployed to: /var/www/html/.user.ini ; ; PHP-FPM scans for .user.ini files in the directory containing each requested -; PHP file and all parent directories up to the document root. Settings placed +; PHP file and all parent directories up to the document root, and caches the +; result for user_ini.cache_ttl seconds (default typically 300). Settings placed ; here apply to every PHP request served from /var/www/html/, covering all -; WordPress admin, REST API, and front-end upload flows. ; ; NOTE: upload_max_filesize and post_max_size are PHP_INI_PERDIR entries that ; must be configured via php.ini or an FPM pool .conf (not via ini_set()). From 815e8d2c9bf65ef78db68d564f6f4e8763298902 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 17:32:47 +0000 Subject: [PATCH 08/15] Tighten WP media REST location match --- nginx/snippets/spx-upload-limits.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index f6004ba..5cd8ddc 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -54,7 +54,7 @@ location = /wp-admin/async-upload.php { } # WP REST API media — GET/HEAD for reads, POST for uploads, OPTIONS for CORS. -location ~* ^/wp-json/wp/v2/media { +location ~* ^/wp-json/wp/v2/media(?:/|$) { client_max_body_size 100m; if ($request_method = OPTIONS) { From 728c04d258f1c09455036674ab33a31bf5dd5e31 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 17:37:36 +0000 Subject: [PATCH 09/15] Split upload route blocking into hard and soft reasons --- nginx/conf.d/spx-bot-mitigation-logic.conf | 13 +++++++++++++ nginx/snippets/spx-upload-limits.conf | 12 ++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/nginx/conf.d/spx-bot-mitigation-logic.conf b/nginx/conf.d/spx-bot-mitigation-logic.conf index 1c5863b..57cffbe 100644 --- a/nginx/conf.d/spx-bot-mitigation-logic.conf +++ b/nginx/conf.d/spx-bot-mitigation-logic.conf @@ -61,3 +61,16 @@ map "$ua_block_type:$empty_ua_geo_block" $block_reason { "1:1" "malformed_or_scanner"; default ""; } + +# 6. Hard-block subset used by upload handlers. +# Upload routes may bypass soft UA/geo-only signals to reduce false positives, +# but must still enforce high-confidence malicious signatures. +map $block_reason $hard_block_reason { + default ""; + "malformed_or_scanner" "malformed_or_scanner"; + "ua_header_injection" "ua_header_injection"; + "scanner_ua" "scanner_ua"; + "legacy_msie" "legacy_msie"; + "legacy_android" "legacy_android"; + "opera_mini_legacy" "opera_mini_legacy"; +} diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index 5cd8ddc..a3346e8 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -3,10 +3,11 @@ # Keep this snippet included in every HTTPS WordPress vhost server block. # ----------------------------------------------------------------------------- # -# NOTE: These upload handlers are intentionally exempt from $block_reason-based -# UA/geo blocking to avoid false-positive 403s on legitimate upload clients. -# Method restrictions and rate limits still apply in these handlers, while -# upload authorization is still enforced by WordPress upstream. +# NOTE: These upload handlers bypass soft $block_reason UA/geo checks to avoid +# false-positive 403s on legitimate upload clients, but still enforce +# $hard_block_reason malicious-signature blocks. Method restrictions and rate +# limits still apply in these handlers, while upload authorization is still +# enforced by WordPress upstream. # WordPress plugin/theme ZIP uploader — raised body limit for this single # handler only. update.php processes plugin and theme uploads submitted via @@ -28,6 +29,7 @@ location = /wp-admin/update.php { deny all; } + if ($hard_block_reason != "") { return 403; } limit_req zone=spx_wp_admin burst=150 nodelay; include /etc/nginx/snippets/spx-standard-proxy-headers.conf; include /etc/nginx/snippets/spx-dynamic-proxy-headers.conf; @@ -47,6 +49,7 @@ location = /wp-admin/async-upload.php { deny all; } + if ($hard_block_reason != "") { return 403; } limit_req zone=spx_wp_admin burst=150 nodelay; include /etc/nginx/snippets/spx-standard-proxy-headers.conf; include /etc/nginx/snippets/spx-dynamic-proxy-headers.conf; @@ -66,6 +69,7 @@ location ~* ^/wp-json/wp/v2/media(?:/|$) { deny all; } + if ($hard_block_reason != "") { return 403; } limit_req zone=spx_general burst=200 nodelay; include /etc/nginx/snippets/spx-standard-proxy-headers.conf; include /etc/nginx/snippets/spx-dynamic-proxy-headers.conf; From cee6f6a5a943ebcc1ef6f15a653b2dcf2918cf4f Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 10:49:46 -0700 Subject: [PATCH 10/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index 0f72b2f..dfd33b2 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -5,7 +5,7 @@ ; PHP-FPM scans for .user.ini files in the directory containing each requested ; PHP file and all parent directories up to the document root, and caches the ; result for user_ini.cache_ttl seconds (default typically 300). Settings placed -; here apply to every PHP request served from /var/www/html/, covering all +; here apply to every PHP request served from /var/www/html/. ; ; NOTE: upload_max_filesize and post_max_size are PHP_INI_PERDIR entries that ; must be configured via php.ini or an FPM pool .conf (not via ini_set()). From 1eede204e595513d11bc430770818530d1cd4d38 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Jun 2026 17:54:12 +0000 Subject: [PATCH 11/15] Tighten WP REST media location regex to collection and numeric-ID paths only --- nginx/snippets/spx-upload-limits.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index a3346e8..1f869a4 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -57,7 +57,9 @@ location = /wp-admin/async-upload.php { } # WP REST API media — GET/HEAD for reads, POST for uploads, OPTIONS for CORS. -location ~* ^/wp-json/wp/v2/media(?:/|$) { +# Pattern matches only the collection endpoint and numeric single-item paths +# (/wp-json/wp/v2/media and /wp-json/wp/v2/media/{id}); nothing broader. +location ~* ^/wp-json/wp/v2/media(/[0-9]+)?$ { client_max_body_size 100m; if ($request_method = OPTIONS) { From e9305a93a6ede9a17b7cd1b89283b3535f15b273 Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 11:15:22 -0700 Subject: [PATCH 12/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- var/www/html/.user.ini | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/var/www/html/.user.ini b/var/www/html/.user.ini index dfd33b2..03a0a78 100644 --- a/var/www/html/.user.ini +++ b/var/www/html/.user.ini @@ -12,24 +12,22 @@ ; Web access to this file is blocked by the Nginx dotfile deny (location ~ /\. { deny all; }) ; and by Apache common-settings.conf ( Require all denied). ; -; These values mirror the nginx per-route body-size limits: +; These values are aligned with the nginx per-route body-size limits: ; /wp-admin/update.php → client_max_body_size 64m ; /wp-admin/async-upload.php → client_max_body_size 100m ; /wp-json/wp/v2/media → client_max_body_size 100m ; -; upload_max_filesize: individual file cap — set to 100M to cover the media -; upload ceiling (videos, audio). Gutenberg plugin ZIPs (~35 MB) are well -; inside this value. +; upload_max_filesize: individual file cap — set below the 100m Nginx limit so a +; multipart/form-data request (file + boundaries + fields) stays under the +; upstream request-size cap. ; -; post_max_size: total POST body cap — must exceed upload_max_filesize to -; leave room for multipart boundary, form fields, and chunk overhead. -; 105M provides ~5M of headroom above the 100M file cap. +; post_max_size: total POST body cap — must exceed upload_max_filesize to leave +; room for multipart boundary and form fields. 100M provides ~5M headroom above +; the 95M file cap. ; -; Cloudflare hard cap: ~100 MB per request (plan-dependent). Keep -; upload_max_filesize at/under that cap; post_max_size may be slightly higher -; to allow multipart overhead, but the effective request size is still capped -; upstream. +; Cloudflare hard cap: ~100 MB per request (plan-dependent). The effective limit +; is still capped upstream. ; ============================================================================= -upload_max_filesize = 100M -post_max_size = 105M +upload_max_filesize = 95M +post_max_size = 100M From 5b43a43e12e32d5e0d3feb0b6aa50b592982bd6d Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 11:15:34 -0700 Subject: [PATCH 13/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- nginx/snippets/spx-upload-limits.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx/snippets/spx-upload-limits.conf b/nginx/snippets/spx-upload-limits.conf index 1f869a4..0370a08 100644 --- a/nginx/snippets/spx-upload-limits.conf +++ b/nginx/snippets/spx-upload-limits.conf @@ -5,9 +5,9 @@ # # NOTE: These upload handlers bypass soft $block_reason UA/geo checks to avoid # false-positive 403s on legitimate upload clients, but still enforce -# $hard_block_reason malicious-signature blocks. Method restrictions and rate -# limits still apply in these handlers, while upload authorization is still -# enforced by WordPress upstream. +# $hard_block_reason hard security blocks. Method restrictions and rate limits +# still apply in these handlers, while upload authorization is enforced by +# WordPress upstream. # WordPress plugin/theme ZIP uploader — raised body limit for this single # handler only. update.php processes plugin and theme uploads submitted via From f0879e359b73b33cd9f9c3a14e91e92ee54af25d Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 11:15:49 -0700 Subject: [PATCH 14/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- nginx/conf.d/spx-bot-mitigation-logic.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/conf.d/spx-bot-mitigation-logic.conf b/nginx/conf.d/spx-bot-mitigation-logic.conf index 57cffbe..f60a21a 100644 --- a/nginx/conf.d/spx-bot-mitigation-logic.conf +++ b/nginx/conf.d/spx-bot-mitigation-logic.conf @@ -64,7 +64,7 @@ map "$ua_block_type:$empty_ua_geo_block" $block_reason { # 6. Hard-block subset used by upload handlers. # Upload routes may bypass soft UA/geo-only signals to reduce false positives, -# but must still enforce high-confidence malicious signatures. +# but must still enforce hard security blocks (scanner/header-injection/legacy UA). map $block_reason $hard_block_reason { default ""; "malformed_or_scanner" "malformed_or_scanner"; From 4360393afffa3677473995cc79652841182114b0 Mon Sep 17 00:00:00 2001 From: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> Date: Fri, 19 Jun 2026 15:08:11 -0700 Subject: [PATCH 15/15] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com> --- nginx/conf.d/spx-bot-mitigation-logic.conf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/nginx/conf.d/spx-bot-mitigation-logic.conf b/nginx/conf.d/spx-bot-mitigation-logic.conf index f60a21a..1d3ce01 100644 --- a/nginx/conf.d/spx-bot-mitigation-logic.conf +++ b/nginx/conf.d/spx-bot-mitigation-logic.conf @@ -66,11 +66,7 @@ map "$ua_block_type:$empty_ua_geo_block" $block_reason { # Upload routes may bypass soft UA/geo-only signals to reduce false positives, # but must still enforce hard security blocks (scanner/header-injection/legacy UA). map $block_reason $hard_block_reason { - default ""; - "malformed_or_scanner" "malformed_or_scanner"; - "ua_header_injection" "ua_header_injection"; - "scanner_ua" "scanner_ua"; - "legacy_msie" "legacy_msie"; - "legacy_android" "legacy_android"; - "opera_mini_legacy" "opera_mini_legacy"; + default $block_reason; + "empty_user_agent" ""; + "empty_ua_high_risk_geo" ""; }