I know I discussed this before in here but cannot find the post. I have mod security rules included from httpd.conf, I have one user's site in which I had to disable mod security on. I need to add the new rule concerning the null byte exploit to it and also some generic rules to protect against this but not activate all mod security rules for the particular domain. What would be the best way to handle this? It is a cpanel server. I have been told by some reliable sources that even with new update encoded urls can get through. Do not know if that is true or not but I wanted to make some extra protections for it. Also can the request filter AND mod security be active at the same time? Will secfilter rules in htaccess effect the request filter? such as secfiltengine off. Please advise.