This specifies what to do if the rule matches. Actions are defined in seven categories, listed below:

  • Disruptive – used to allow ModSecurity to take an action, for example allow or block
  • Flow – affect the flow, for example skip
  • Meta-data – used to provide more information about rules
  • Variable – used to set, change and remove variables
  • Logging – used to influence the way logging takes place
  • Special – used to provide access to another class of functionality
  • Miscellaneous – contain actions that do not belong in any other groups.

If no actions are provided, default actions apply as per SecDefaultAction (phase:2,log,auditlog,pass). The full list of actions is available in the Actions section of the Reference Manual on the ModSecurity Documentation page

When constructing rules, you can specify at what phase the rule should run. Specifying the correct phase can be beneficial in order to reduce CPU processing. For more information on phases, refer to the ModSecurity Reference Manual.