diff --git a/Dockerfile b/Dockerfile
index ecee7744..adef5118 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,9 +61,9 @@ RUN apk add --no-cache ca-certificates tzdata tini \
sed -i "s|SecRuleEngine.*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \
- mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \
+ mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
- mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
+ mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
rm -r /tmp/* && \
luarocks-5.1 install lua-resty-http && \
luarocks-5.1 install lua-cjson && \
diff --git a/README.md b/README.md
index 5cfeec4f..1d0b0d27 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ running at home or otherwise, including free TLS, without having to know too muc
**Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).**
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!**
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).**
-**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity/modsecurity-default.conf` and `/opt/npm/etc/modsecurity/crs-setup.conf`.**
+**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).**
**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.**
**Note: Other Databases like MariaDB may work, but are unsupported.**
diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh
index 9fccd0fe..a4d1fc4b 100755
--- a/rootfs/bin/start.sh
+++ b/rootfs/bin/start.sh
@@ -388,6 +388,16 @@ if [ ! -s /data/etc/modsecurity/crs-setup.conf ]; then
fi
cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
+if [ ! -s /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
+ cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+fi
+cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+
+if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
+ cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+fi
+cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+
if [ "$NPM_CERT_ID" = "0" ]; then
export NPM_CERT=/data/tls/dummycert.pem
export NPM_KEY=/data/tls/dummykey.pem
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
index 257c7b40..9fb39bf2 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
@@ -1,4 +1,6 @@
Include /data/etc/modsecurity/modsecurity-default.conf
Include /data/etc/modsecurity/modsecurity-extra.conf
Include /data/etc/modsecurity/crs-setup.conf
+Include /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
+Include /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf