diff --git a/conf/modsecurity.conf b/conf/modsecurity.conf
index 674a4dd..0a36aaa 100644
--- a/conf/modsecurity.conf
+++ b/conf/modsecurity.conf
@@ -9,11 +9,11 @@ SecAuditLog /var/log/modsecurity/audit.log
 
 # sql injection
 SecRule REQUEST_URI|ARGS "['\";]|--" \
-    "id:950001,phase:2,deny,status:403,msg:'SQL Injection Attack Detected',log"
+    "id:950001,phase:1,deny,status:403,msg:'SQL Injection Attack Detected',log"
 
 # xss / html injection
-SecRule REQUEST_URI|ARGS "<.*>" \
-    "id:950003,phase:2,deny,status:403,msg:'XSS/HTML Injection Detected',log"
+SecRule REQUEST_URI ARGS "<.*>" \
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML Injection Detected',log"
 
 # command injection
 SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \