• Linux distribution (Debian and Centos are recommended, Windows is not supported yet)
• Golang compiler v1.16+

• Rollback SecAuditLog to the legacy syntax (serial/concurrent)
• Attach an error log handler using waf.SetErrorLogCb(cb) (optional)
• If you are using @detectXSS and @detectSQLi (CRS) install the plugin github.com/jptosso/coraza-libinjection
• If you are using @rx with libpcre (CRS) install the plugin github.com/jptosso/coraza-pcre
• If you are using low level APIs check the complete changelog as most of them were removed

Run the go tests:

go test ./...
go test -race ./...

• Full internal API refactor, public API has not changed
• Full audit engine refactor with plugins support
• New enhanced plugins interface for transformations, actions, body processors and operators
• Now we are fully compliant with Seclang from modsecurity v2
• Many features removed and transformed into plugins: XML processing, PCRE regex, Libinjection (@detectXSS and @detectSQLi)
• Better debug logging
• New error logging (like modsecurity)

package main
import(
	"fmt"
	"github.com/jptosso/coraza-waf/v2"
	"github.com/jptosso/coraza-waf/v2/seclang"
)

func main() {
	// First we initialize our waf and our seclang parser
	waf := coraza.NewWaf()
	parser, _ := seclang.NewParser(waf)

	// Now we parse our rules
	if err := parser.FromString(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`); err != nil {
		fmt.Println(err)
	}

	// Then we create a transaction and assign some variables
	tx := waf.NewTransaction()
	tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)

	// Finally we process the request headers phase, which may return an interruption
	if it := tx.ProcessRequestHeaders(); it != nil {
		fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
	}
}

• Simplicity: Anyone should be able to understand and modify Coraza WAF's source code
• Extensibility: It should be easy to extend Coraza WAF with new functionalities
• Innovation: Coraza WAF isn't just a ModSecurity port, it must include awesome new functions (in the meantime it's just a port 😅)
• Community: Coraza WAF is a community project and everyone's idea will be heard

• WASM scripts support
• Lua script support
• Integrated DDOS protection and directives with iptables(Or others) integration
• Integrated bot detection with captcha
• Open Policy Agent package (OPA)
• Enhanced data signing features (cookies, forms, etc)
• OpenAPI enforcement
• JWT enforcement
• XML request body processor
• Libinjection integration (done)
• Lib PCRE integration (done)
• Bluemonday policies (maybe)

• Caddy Plugin (Reverse Proxy and Web Server) (Stable)
• Traefik Plugin (Reverse Proxy and Web Server) (preview)
• Gin Middleware (Web Framework) (Preview)
• Buffalo Plugin (Web Framework) (soon)
• Coraza Server (HAPROXY, REST and GRPC) (experimental)
• Apache httpd (experimental)
• Nginx (soon)
• Coraza C Exports (experimental)

• Go FTW: rule testing engine
• Coraza Playground: rule testing sandbox with web interface

Contributions are welcome, there are so many TODOs, also functionalities, fixes, bug reports and any help you can provide. Just send your PR.

cd /path/to/coraza
egrep -Rin "TODO|FIXME" -R --exclude-dir=vendor *

• Modsecurity team for creating ModSecurity
• OWASP Coreruleset team for the CRS and their help
• @fzipi for his support and help
• @dune73 for the Modsecurity Handbook (The bible for this project) and all of his support

• Babiel (supporter)

The name Coraza is trademarked, Coraza is a registered trademark of Juan Pablo Tosso.

• Author on Twitter @jptosso

For donations, see Donations site