diff --git a/el9/templates/crs-setup-configmap.yaml b/el9/templates/crs-setup-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..46040ec230435127d722a572cbff03c70ec8bb95
--- /dev/null
+++ b/el9/templates/crs-setup-configmap.yaml
@@ -0,0 +1,24 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: crs-setup-config-{{ .Release.Name }}
+data:
+  crs-setup.conf: |
+    # This configuration will lower the default
+    # anomaly detection scores for critical, error, warning and notice.
+    # So that mod_security doesn't generate so many false possitives
+    # in our infrastructure. Check for reference:
+    # https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/#severity-levels
+    SecAction \
+        "id:900990,\
+        phase:1,\
+        pass,\
+        t:none,\
+        nolog,\
+        tag:'OWASP_CRS',\
+        ver:'OWASP_CRS/4.7.0',\
+        setvar:tx.crs_setup_version=470,\
+        setvar:tx.critical_anomaly_score=2,\
+        setvar:tx.error_anomaly_score=1,\
+        setvar:tx.warning_anomaly_score=0,\
+        setvar:tx.notice_anomaly_score=0"
diff --git a/el9/templates/deployment.yaml b/el9/templates/deployment.yaml
index 8d4ff838367ef730d8502be112a1a1263b10a8ed..36ac0d6eb5fc820ce41fe9e0bed120209c07152e 100644
--- a/el9/templates/deployment.yaml
+++ b/el9/templates/deployment.yaml
@@ -58,6 +58,7 @@ spec:
         webeos.cern.ch/webeos-site-path-regex: {{ .Values.webeosSitePathRegex | quote }}
         webeos.cern.ch/webeos-site-server-version: {{ .Values.webeosSiteServerVersion | quote }}
         # We need to redeploy the controllers in case any of the configMaps/secret changes.
+        checksum/crs-configmap: {{ include (print $.Template.BasePath "/crs-setup-configmap.yaml") . | sha256sum }}
         checksum/httpd-server-config: {{ include (print $.Template.BasePath "/httpd-configmap.yaml") . | sha256sum }}
         checksum/php-config: {{ include (print $.Template.BasePath "/php-configmap.yaml") . | sha256sum }}
         checksum/php-fpm-config: {{ include (print $.Template.BasePath "/php-fpm-configmap.yaml") . | sha256sum }}
@@ -146,6 +147,9 @@ spec:
           - name: eos
             mountPath: /eos
             mountPropagation: HostToContainer
+          - name: crs-setup-config
+            mountPath: /etc/httpd/conf.d/crs-setup.conf
+            subPath: crs-setup.conf
           - name: httpd-server-config
             mountPath: /etc/httpd/conf/httpd.conf
             # mount only `httpd.conf`, to avoid hiding other files installed by the image
@@ -328,6 +332,9 @@ spec:
         - name: httpd-server-config
           configMap:
             name: httpd-server-config-{{ .Release.Name}}
+        - name: crs-setup-config
+          configMap:
+            name: crs-setup-config-{{ .Release.Name}}
         - name: php-config
           configMap:
             name: php-config-{{ .Release.Name}}
diff --git a/el9/templates/httpd-configmap.yaml b/el9/templates/httpd-configmap.yaml
index cef5f45b8de61d813dcc55226c72fa7f3d6a0d16..1a419d450603a9333f70e5edcd2826ef5f200812 100644
--- a/el9/templates/httpd-configmap.yaml
+++ b/el9/templates/httpd-configmap.yaml
@@ -165,9 +165,9 @@ data:
     {{ if .Values.containers.httpd.webApplicationFirewall.enabled }}
     # Enable WAF
     Include conf.d/mod_security.conf
+    Include conf.d/crs-setup.conf
 
     # default ruleset
-    IncludeOptional /etc/crs4/crs-setup.conf
     IncludeOptional /etc/crs4/plugins/*-config.conf
     IncludeOptional /etc/crs4/plugins/*-before.conf
     IncludeOptional /etc/crs4/rules/*.conf