Welcome to Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

  Coraza - Web Application Firewall

Regression Tests Coreruleset Compatibility CodeQL codecov Project Status: Active โ€“ The project has reached a stable, usable state and is being actively developed. OWASP Lab Project GoDoc

Coraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set.

Key Features:

  • โ‡ฒ Drop-in - Coraza is an alternative engine that has partial compatibility with TrustwaveOWASP ModSecurity Engine and supports industry-standard SecLang rule sets.

  • ๐Ÿ”ฅ Security - Coraza runs the OWASP CRS to protect your web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS protects from many common attack categories including SQL Injection (SQLi), Cross Site Scripting (XSS), PHP & Java Code Injection, HTTPoxy, Shellshock, Scripting/Scanner/Bot Detection & Metadata & Error Leakages.

  • ๐Ÿ”Œ Extensible - Coraza is a library at its core, with many integrations to deploy on-premise Web Application Firewall instances. Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.

  • ๐Ÿš€ Performance - From huge websites to small blogs, Coraza can handle the load with minimal performance impact. Check our Benchmarks

  • ๏นก Simplicity - Anyone can understand and modify the Coraza source code. It is easy to extend Coraza with new functionality.

  • ๐Ÿ’ฌ Community - Coraza is a community project, contributions are accepted and all ideas will be considered. Find contributor guidance in the CONTRIBUTION document.


The Coraza Project maintains implementations and plugins for the following servers:



  • Golang compiler v1.18+
  • Linux distribution (Debian or Centos recommended) or Mac. Windows is not supported yet.

Coraza Core Usage

Coraza can be used as a library for your Go program to implement a security middleware or integrate it with existing applications & webservers.

package main

import (

func main() {
	// First we initialize our waf and our seclang parser
	waf, err := coraza.NewWAF(coraza.NewWAFConfig().
		WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
	// Now we parse our rules
	if err != nil {

	// Then we create a transaction and assign some variables
    tx := waf.NewTransaction()
	defer func() {
	tx.ProcessConnection("", 8080, "", 12345)

	// Finally we process the request headers phase, which may return an interruption
	if it := tx.ProcessRequestHeaders(); it != nil {
		fmt.Printf("Transaction was interrupted with status %d\n", it.Status)

Examples/http-server provides an example to practice with Coraza.

Build tags

Go build tags can tweak certain functionality at compile-time. These are for advanced use cases only and do not have compatibility guarantees across minor versions - use with care.

  • coraza.disabled_operators.* - excludes the specified operator from compilation. Particularly useful if overriding the operator with operators.Register to reduce binary size / startup overhead.
  • coraza.rule.multiphase_valuation - enables evaluation of rule variables in the phases that they are ready, not only the phase the rule is defined for.



Coraza only requires Go for development. You can run mage.go to issue development commands.

See the list of commands

go run mage.go -l

For example, to format your code before submission, run

go run mage.go format


Contributions are welcome! Please refer to for guidance.


  • Modsecurity team for creating ModSecurity
  • OWASP Coreruleset team for the CRS and their help

Companies using Coraza

Author on Twitter


For donations, see Donations site

Thanks to all the people who have contributed

We could not have done this without you!

Made with