Redmine

Hello,

I am running my redmine server with mod_security. I use the rules from OWASP ModSecurity Core Rule Set (CRS).
Very often, mod_security blocks an access to redmine due to some user content that was written into a redmine comment/ticket/forum/...

So far all that I can do is disable the respective mod_security rule.
However after several months of doing so, I get the impression that eventually I have disabled most of the mod_security rules.

So I am interested in knowing if there is a general recommendation how to run redmine with mod_security?

What experiance have done others in doing so?

Has anybody a special mod_security ruleset designed for operation with redmine?

Could redmine be improved to better respect the mode_security rules?
Or asked in another way, is redmine sufficiently robust against attacks to not require a security tool like mod_security?