I have seen conflicting opinions regarding the necessity of mod_security on the forum. We have been having (in past as well) issues where performance periodically is bad, especially in the back end. It appears in these cases that something is trying to make a connection outside the browser and this is timing out. We just upgraded to CS-Cart 4.3.3 and our VPS has ModSecurity for Apache v2.9.0 installed. Log monitoring during issues seemed to indicate mod_security was the cause and we found an offending line, so we disabled mod_security for our CS-Cart domain (only CS-Cart is running here) as a quick fix and it worked . The problems seem to have gone away but since the the prevailing opinion on the forum is that mod_security should not be disabled I'm concerned that this makes us vulnerable. We have a subdomain for our Wordpress blog but left mod_security enabled there and this will be what we do going forward: that is, isolating applications by domain and configuring separately.
In a domain or subdomain with just CS-Cart is mod security in fact needed or is CS-Cart defensively coded so as to make mod_security unnecessary? If needed, is a list of rules available to properly configure mod_security for CS-Cart? Perhaps this thread might be a good place to start one and could serve as a permanent resource. Maybe CS-Cart support could contribute recommended list of rules to disable, using a CS-Cart only domain or subdomain as a reference which could then be modified as needed for other cases.
We found one line in the error log which was associated with a mod_security rule and elected to disable module rather than deal with the specific error, since our log monitoring was very limited and so there must be others anyway. Looking at forum posts on mod_security I saw that mod_security could interpret form coding mistakes as sql injection attacks and this makes sense since we have a new but uncompleted custom search add-on.
I am not a server, linux or coder guy. I have to leave that good stuff to others for now but nevertheless try to deal with issues as they arise. Hopefully I'll learn a bit in the process. Please bear with any lack of understanding and, as always, thanks for any insights.