{"name":"Coraza WAF: A High-Performance Go Web Application Firewall","description":"Coraza WAF is an open-source, enterprise-grade Web Application Firewall written in Go, offering high performance and ModSecurity SecLang ruleset compatibility. It provides robust protection for web applications, being 100% compatible with the OWASP Core Rule Set v4. Developers can integrate Coraza as a library to secure their applications against a wide range of attacks.","github":"https://github.com/corazawaf/coraza","url":"https://osrepos.com/repo/corazawaf-coraza","source":"osrepos.com","sourceDescription":"This repository profile is provided by osrepos.com, an open source repository discovery platform.","repositoryProfile":"https://osrepos.com/repo/corazawaf-coraza","generatedFor":"open source discovery and AI-assisted research","markdown":"https://osrepos.com/repo/corazawaf-coraza.md","json":"https://osrepos.com/repo/corazawaf-coraza.json","topics":["coraza","waf","golang","modsecurity","owasp","security","web-application-firewall","open-source"],"keywords":["coraza","waf","golang","modsecurity","owasp","security","web-application-firewall","open-source"],"stars":null,"summary":"Coraza WAF is an open-source, enterprise-grade Web Application Firewall written in Go, offering high performance and ModSecurity SecLang ruleset compatibility. It provides robust protection for web applications, being 100% compatible with the OWASP Core Rule Set v4. Developers can integrate Coraza as a library to secure their applications against a wide range of attacks.","content":"## Introduction\n\n**Coraza WAF** (`corazawaf/coraza`) is an open-source, enterprise-grade Web Application Firewall (WAF) designed to protect your web applications with high performance. Written in Go, Coraza is compatible with ModSecurity SecLang rulesets and boasts 100% compatibility with the OWASP Core Rule Set (CRS) v4. This makes it a powerful and flexible solution for safeguarding against a wide array of web-based threats, including the OWASP Top Ten.\n\nKey features of Coraza WAF include:\n*   **Drop-in**: An alternative engine with partial compatibility with the OWASP ModSecurity Engine, supporting industry-standard SecLang rule sets.\n*   **Security**: Runs the OWASP CRS v4 to protect against SQL Injection, Cross Site Scripting (XSS), PHP & Java Code Injection, and more.\n*   **Extensible**: As a library, Coraza allows for custom integrations, audit loggers, persistence engines, operators, and actions.\n*   **Performance**: Engineered to handle significant load with minimal performance impact, suitable for both large and small applications.\n*   **Simplicity**: Designed for ease of understanding and modification, making it straightforward to extend with new functionality.\n*   **Community**: An active community project that welcomes contributions and new ideas.\n\n## Installation\n\nCoraza WAF is primarily used as a Go library. To integrate it into your Go project, you need Go v1.22+ or a TinyGo compiler.\n\nTo add Coraza to your project, simply use `go get`:\n\nbash\ngo get github.com/corazawaf/coraza/v3\n\n\nCoraza can then be imported and used within your Go application to implement security middleware or integrate with existing web servers.\n\n## Examples\n\nHere's a basic example demonstrating how to initialize Coraza WAF and process a request with a simple rule:\n\ngo\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/corazawaf/coraza/v3\"\n)\n\nfunc main() {\n\t// First we initialize our waf and our seclang parser\n\twaf, err := coraza.NewWAF(coraza.NewWAFConfig().\n\t\tWithDirectives(`SecRule REMOTE_ADDR \"@rx .*\" \"id:1,phase:1,deny,status:403\"`))\n\t// Now we parse our rules\n\tif err != nil {\n\t\tfmt.Println(err)\n\t}\n\n\t// Then we create a transaction and assign some variables\n\ttx := waf.NewTransaction()\n\tdefer func() {\n\t\ttx.ProcessLogging()\n\t\ttx.Close()\n\t}()\n\ttx.ProcessConnection(\"127.0.0.1\", 8080, \"127.0.0.1\", 12345)\n\n\t// Finally we process the request headers phase, which may return an interruption\n\tif it := tx.ProcessRequestHeaders(); it != nil {\n\t\tfmt.Printf(\"Transaction was interrupted with status %d\\n\", it.Status)\n\t}\n}\n\n\n\nThis example initializes a WAF instance with a rule that denies any request from any remote IP address, returning a 403 status. It then creates a transaction, processes connection details, and finally processes request headers, checking for any interruptions caused by the WAF rules.\n\n## Why Use Coraza WAF?\n\nChoosing Coraza WAF for your application security offers several compelling advantages:\n\n*   **Robust Security with OWASP CRS**: By being 100% compatible with OWASP Core Rule Set v4, Coraza provides comprehensive protection against common and emerging web vulnerabilities, ensuring your applications are shielded from the OWASP Top Ten.\n*   **High Performance**: Built in Go, Coraza is designed for speed and efficiency, allowing it to handle high traffic volumes without significantly impacting application performance.\n*   **Flexibility and Extensibility**: Its library-first approach means Coraza can be deeply integrated into various Go applications and extended with custom logic, making it adaptable to specific security needs.\n*   **ModSecurity Compatibility**: For those familiar with ModSecurity, Coraza offers a familiar ruleset language, easing the transition and leveraging existing knowledge and rule sets.\n*   **Active Community and Development**: As an OWASP production project, Coraza benefits from an active community, ensuring continuous development, support, and security updates.\n\n## Links\n\n*   **GitHub Repository**: [https://github.com/corazawaf/coraza](https://github.com/corazawaf/coraza)\n*   **Official Website**: [https://coraza.io](https://coraza.io)\n*   **GitHub Discussions (Forum)**: [https://github.com/corazawaf/coraza/discussions](https://github.com/corazawaf/coraza/discussions)\n*   **OWASP Slack Community**: [https://owasp.org/slack/invite](https://owasp.org/slack/invite)\n*   **Coraza Playground**: [https://playground.coraza.io](https://playground.coraza.io)\n*   **OWASP Core Rule Set**: [https://coreruleset.org](https://coreruleset.org)","metrics":{"detailViews":5,"githubClicks":7},"dates":{"published":null,"modified":"2025-10-19T23:01:22.000Z"}}