How do I modify Apache mod_security to accept incoming IPN requests?

Per RFC 2616 Section 14.43, the User-Agent header is a recommended, but not required, header for HTTP/1.1 communication requests. Because request header spoofing is trivial, it shouldn't be relied upon as part of a security validator.

To permit incoming IPN requests from, which doesn't supply the User-Agent header, change the mod_security config to accept all connections from * To do so, add something similar to the following line before the line denying empty User-Agent headers:

SecRule REMOTE_HOST "\.paypal\.com$" "allow,log,logdata:'Permitting incoming connection from PayPal'"

This will permit incoming connections from the domain, while allowing you to deny other connections that don't supply the User-Agent header.