Last updated 25 April 2008. Created on 17 January 2007.
Edited by JohnAlbin, LeeHunter, Heine. Log in to edit this page.

When submitting certain words in content, you receive a 403, 404, 406, 500 or "Page not found" error message.

This behaviour is most likely caused by the Apache module mod_security. Depending on its filter settings, phrases that trip the module include

lynx, perl, mother, select from, table, cc:, and many more.

Ask your host to tone down the mod_security settings.

Alternatively you can try to add the following to .htaccess:

# Turn off mod_security filtering.
<IfModule mod_security.c>
  SecFilterEngine Off

This will turn off filtering by mod_security.

Not all hosts will allow this, so you may need to contact your hosting provider.

Looking for support? Visit the forums, or join #drupal-support in IRC.


kruser’s picture

The syntax for ModSecurity2 is a little different.

# Turn off mod_security filtering.
<IfModule mod_security2.c>
  SecRuleEngine Off

For me it didn't work in the .htaccess (.htaccess: SecRuleEngine not allowed here). So, I had to turn it off from the modsec2.conf

Bob @ Drupal Aid (

swolynski’s picture

I ran into something similar while editing a CCK content type field in a newly deployed site on a VPS hosting account. I'd get a 500 Internal Server Error whenever I tried to submit a form to change a text select field with a large set of allowed values. When I checked my logs mod_security rules 300016 and 300013 where getting false positives. Instead of removing mod_security altogether I put in an exclusion rule at the end of the mod_security configuration file. As discussed here...

I used the exclusion rule below so these wouldn't generate false positives when I was editing my content types.

#drupal exclusion rule
<LocationMatch "/admin/content/node-type/*">
  SecRuleRemoveById 300013
  SecRuleRemoveById 300016

Thought it might be helpful.

acbart’s picture

Which .htaccess is this referring to? The one in the top of the Drupal installation folder, or the one in the "sites/default/files/" folder?

I've been trying to deal with an error that is similar to this, where it seems to happen randomly with POSTs, but adding these lines to the .htaccess in the top Drupal folder didn't have any effect. The .htaccess in sites/default/files is write-protected, so I'd like some confirmation before screwing anything up :)

wwalc’s picture

Instead of turning off mod_security (ouch) or disabling caching, here's another solution that I think will work.

If mod_security is returning HTTP 406 code, then simply create 406.html file with some error message and add "ErrorDocument 406 /406.html" to .htaccess, to have something like:

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Special static page for mod_security errors
ErrorDocument 406 /406.html

This way Drupal will not serve pages denied by mod_security, so they'll not be cached as well.

Wiktor Walc
"Support Open Source Software"

Danny_Joris’s picture


I have what looks like a similar issue posted here: . Unfortunately I haven't found a solution yet. I'm receiving 406.shtml errors, I added the first snippet (the others posted here break return errors.) but it didn't fix my problem. My admin pages load twice as fast, though. Which is nice :)

Does anyone have any suggestions?

--Edit: I contacted my hosting company ( and they fixed it for me. They said that they use mod_security version 2 which cannot be controlled trough .htaccess files. It's good to know when the code snippets provided here fail to work.

livingegg’s picture

D6: I was getting a mysterious 403 Forbidden whenever I tried to log in. Fixed the issue by turning off the open ID module.

vegantriathlete’s picture

After reconfiguring my directory structure somewhat, I also started receiving Page not found errors. The watchdog file showed the 406.shtml in the message field. I told my web host about the possible connection to mod_security.c or mod_security2.c. Sure enough, after they turned off mod_security everything worked fine. I'm not too thrilled about having mod_security turned off entirely though, and have asked them if they can tune it to not be so aggressive.

I'm not sure what the restructure would have done to cause this error, though. I have asked my host to give me some more information so that I can see if I can track it down in the code.

wcndave’s picture

I have the same thing, however only for non-admin roles, and it seems to be any html at all that is not allowed... really frustrating... i don't know where to make the mod_sec changes, as i don't have root access to this co-location server. is there nothing in drupal one can set?

aenw’s picture

I ran into a similar scenario: Suddenly, when I tried to update the footer in Admin> Site Information and when I used HTML formatting in the footer text, I started to receive a 403 error. (Applying HTML formatting is the key to creating the error.) Thanks to the info here and a few other places, I was able to try different solutions -- but with no success.
I contacted my site host (ANHosting) and asked if they could see if it was related to mod_security. (I gave them a user account for my site so they could reproduce the error and test.) They said they "relaxed the mod_security for my site" and now it's working fine for me.
I wish I knew what they did exactly so I could share here, but alas, they didn't give me that info.
Hope this helps someone else.
- aenw

igrok’s picture

I hit a similar issue on my server hosted by AN Hosting - every attempt to submit one of my blog posts redirected to 403 Forbidden.

It appears my issue was in attempting to post bookmarklets as links. I'm assuming mod_security blocks JavaScript in links.

In my case, I was able to make do without putting JavaScript in the links.

nomad-drupal’s picture

Took me a long time to figure out mod security settings at Midphase caused 403's on
two separate Drupal administration forms;


On first glance it seemed a .htaccess issue related to running Drupal in a subdirectory
Secondly an issue with the Drupal forms API

NONE of that. The fix was a mod security exception for my sites made by the administrators.

The issue is described in detail in:

Gib...’s picture


I updated to 7.24 and updated every modules. Maybe it started before, I'm not sure, but it got worst.
I can't even create a simple node with Test as title and opnly word in the body.
I get "Page not found" with indication of the page I wanted to save : "/?q=fr/node/add/page" or "/?q=fr/node/413/edit" or "/?q=en/node/854/edit".

I installed Devel to try to figure out what is going on. But Devel does not show up on the "Not found Page".
The only thing certain is I get a 500.shtml entry in the log.
So I tried adding mod_security and mod_security2 in htaccess.
Same result nothing is saved.
Site is displayed fine. Updates to administration forms are fine. Just updates on node do not work at all.
No other errors messages. Cache and update.php run many times.

Before trying to go back to 7.23 I tried this comment to get any help. Don't know what else to try.

drupalfan81’s picture

Well I have searched for hours and I cannot find a solution to my problem and each search brings me back to this page, so I thought I would post here, hoping someone else comes across this and they have a solution or someone can provide me a solution. What's really driving me nuts was that I HAD this problem before and fixed it, but for the life of me, I can't recall what the heck that fix was. And I must have been so exhausted after finding it that I didn't save a note for me in the future.

Basically, I have a CCK image field on one of my content types. I can go in and edit it, but once I save my changes, the dumb thing quickly loads the page not found page on my site.

Looking at the error log, it displays this...not to helpful...

Type page not found
Date Sunday, July 20, 2014 - 11:14pm
User yoninja
Message 406.shtml
Severity warning

I have tried clearing caches, running update.php, running cron, rebuilding permissions. Basically everything I could think of. I don't think it's an issue with the htaccess file, because this issue is limited to JUST this one CCK field. For example, I have another CCK image field attached to this content, and I can edit, change the settings and save it just fine. In fact, all the other fields that I have tried work just fine. This is the part that I recall from the last time this damn problem happened. Which is why it drove me mad, because it made no sense. Why can't I edit this one CCK field, where there is another just like it on the same content type and I can edit it just fine.

And there are no errors, just loads the stupid search page with the page not found text and the 406.shtml in the search box (this is because I have the search404 module to grab users that reach page not found pages).

Before I bash my head into the table, can someone please tell me how I can fix this problem. I swear I will write it down this time, because now this issue has at least stole 8-10 hours of my life. ARRRR

drupalfan81’s picture

For anyone that comes across this post looking for a solution to the problem I posted, I have found the culprit and how to fix it. Although I still have no idea why it's crashing Drupal's ability to edit the node. Perhaps someone can answer that question. The answer is posted here:

I created this separate thread in case my issue was different from the one the original poster posted.

The issue I was experiencing was Drupal would load a 406.shtml everytime I tried to edit anything on the CCK field on the manage fields page of the content instance I was editing. Check the URL above to see the solution and cause of this issue. I hope you found this link if you were stumped as much as I was. I scoured the web by searching everything I could think of in Google and came up with nothing. I can't believe I am the only one to come across this issue. Perhaps I was just searching with the wrong keywords.