From cd19841ec352d4b3c609bd453332b2cedde26082 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 23 Aug 2020 23:02:23 +0200
Subject: [PATCH] readme - details about modsec include order

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6aad29e..d346a25 100644
--- a/README.md
+++ b/README.md
@@ -213,7 +213,7 @@ You can include custom rules by adding .conf files into the /modsec-confs/ direc
 Values: *yes* | *no*
 Default value : *yes*
 If set to yes, the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) will be used. It provides generic rules to detect common web attacks.  
-You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .conf files into the /modsec-crs-confs/ directory inside the container (i.e : through a volume).
+You can customize the CRS (i.e. : add WordPress exclusions) by adding custom .conf files into the /modsec-crs-confs/ directory inside the container (i.e : through a volume). Files inside this directory are included before the CRS rules. If you need to tweak (i.e. : SecRuleUpdateTargetById) put .conf files inside the /modsec-confs/ which is included after the CRS rules.
 
 ## Security headers
 `X_FRAME_OPTIONS`