is there a reason why modesecurity is not installed in the default installation?
I expect the answer to be due to nginx sitting between apache and the internet. Any use of modsecurity would belong at the edge in nginx.
And it needs a lot of specific changes otherwise it has unintended side effects
I thought a WAF would certainly not hurt, since Ngnix acts as a proxy I thought of modsecurity for Apache
where crowdsec is an alternative for server security