In this guide, we’ll discuss what causes and how to fix the multipart request body failed strict validation ModSecurity error. When uploading images (or other files) to your website you may see that there is an error within your site that is preventing your content from uploading. This will typically come as a 406 error but sometimes may also come across as an HTTP error, as it does in WordPress when uploading a disallowed image.
How Is This Error Caused?
Upon checking the server error logs, you may see something like the following:
[Mon Sep 22 13:13:14 2014] [error] [client 22.214.171.124] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "15"] [id "1234123456"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 1, IP 0, IH 0, FL 0"] [hostname "example.com"] [uri "wp-admin/async-upload.php"]
This error is caused by mod_security blocking a potentially malicious upload. While it may be completely harmless, mod_security has no way of knowing if it is harmless or not.
Typically, the content in question is a file being uploaded that contains a special character such as a single or double quote within the file name which is often used by attackers to inject malicious scripts into websites.
What is ModSecurity
ModSecurity is an apache module that is installed on your server that helps protect your site from being attacked by common exploits. It is always running on the server and will trigger an error when it detects a possible issue.
How Do I Resolve the Issue?
We will now go over several ways to fix the “multipart request body failed strict validation” error.
Rename The File
Simply put, rename the file to remove the offending special character from the file name. This will stop the ModSecurity filter from flagging your file and halting the upload. See our full guide here:
Keep in mind that you may have to rename it on your local machine if it is not already in cPanel and you’re unable to upload it. Also, if your file does not contain any special characters such as single or double quotes, try one of these other solutions.
If renaming the file is absolutely out of the question, you may disable mod_security using the cPanel Modsec Manager.
or if on a VPS or Dedicated server, contact Technical Support to have the rule disabled. This is, however, highly discouraged as it could open your site up to potential attack.