We are having a heck of a time getting MediaWiki to run as expected with (1) mod_security enabled, and (2) mod_rewrite changing HTTP requests to HTTPS requests.
Item (2) appears to be especially problematic. First, the rewrite breaks MediaWiki logins for us under 1.26.4. Second, Chrome is getting reading to change its Security UX such that anything not over HTTPS is insecure. For Chrome's change, see Google’s Chrome Hackers Are About to Upend Your Idea of Web Security.
In an effort to identify where we are diverging from known good or supported configurations, we wanted to examine what is/was tested. But there appears to be no Testing/Configuration page. Please supply a Testing/Configuration page.
We really are at a loss to explain all the problems we are experiencing when attempting to follow security best practices. For all we know, the only thing tested is a stock Apache install with no hardening and no HTTP → HTTPS rewrites.