OWASP Core Ruleset

OWASP Core Ruleset is the most robust open source WAF rule set available in the internet, compatible with Coraza.

Important: OWASP Core Ruleset requires coraza-libinjection and coraza-pcre plugins to work. There is an upcoming fork that removes the need for the plugins by removing a few features and rewriting some @rx operators to RE2 instead of PCRE.


Core Ruleset can be normally installed by importing each required file in the following order:

wget https://raw.githubusercontent.com/jptosso/coraza-waf/v2/master/coraza.conf-recommended -O coraza.conf
git clone https://github.com/coreruleset/coreruleset
  1. coraza.conf
  2. coreruleset/crs-setup.conf.example
  3. coreruleset/rules/*.conf

For example:

func initCoraza(){
  waf := coraza.NewWaf()
  parser, _ := seclang.NewParser(waf)
  files := []string{
  for _, f := range files {
    if err := parser.FromFile(f); err != nil {


Please check https://coreruleset.org/installation/ for configuration examples.