I’m running BunkerWeb 1.6.5 (Docker) with ModSecurity v3 and OWASP CRS 4.19.0, and a JSON POST endpoint (exact URI withheld) is being blocked with 403 due to false positives: rule 930120 (LFI) when a field like profile_image_url contains “.profile”, rule 932235 (RCE) when a natural-language field like params.system begins with “Make …”, and then 949110 triggers on the total anomaly score. I’ve tried targeted exclusions using ctl:ruleRemoveTargetById for 930120 and 932235 on the specific JSON targets (both ARGS and ARGS_NAMES variants), removing 949110 only for this endpoint as a last resort, scoping rules by REQUEST_METHOD POST plus REQUEST_URI_PATH, and ensuring my custom rules are included before crs-setup.conf and the CRS rules/*.conf so ctl: directives apply first. I would appreciate guidance on the recommended way to exclude deep JSON targets with CRS 4.19.0 (e.g., best practice for ARGS/ARGS_NAMES on nested JSON, whether ruleRemoveTargetById is preferred over ruleRemoveById in this scenario, and whether scoping via REQUEST_URI_PATH + method is preferable to SecRuleUpdateTargetById at load time) so I can eliminate these false positives without over-whitelisting or weakening coverage elsewhere.