# Coraza WAF: A High-Performance Go Web Application Firewall

This repository profile is provided by osrepos.com, an open source repository discovery platform.

Source: osrepos.com
Repository profile: https://osrepos.com/repo/corazawaf-coraza
Generated for open source discovery and AI-assisted research.

Coraza WAF is an open-source, enterprise-grade Web Application Firewall written in Go, offering high performance and ModSecurity SecLang ruleset compatibility. It provides robust protection for web applications, being 100% compatible with the OWASP Core Rule Set v4. Developers can integrate Coraza as a library to secure their applications against a wide range of attacks.

GitHub: https://github.com/corazawaf/coraza
OSRepos URL: https://osrepos.com/repo/corazawaf-coraza

## Summary

Coraza WAF is an open-source, enterprise-grade Web Application Firewall written in Go, offering high performance and ModSecurity SecLang ruleset compatibility. It provides robust protection for web applications, being 100% compatible with the OWASP Core Rule Set v4. Developers can integrate Coraza as a library to secure their applications against a wide range of attacks.

## Topics

- coraza
- waf
- golang
- modsecurity
- owasp
- security
- web-application-firewall
- open-source

## Repository Information

Last analyzed by OSRepos: Mon Oct 20 2025 00:01:22 GMT+0100 (Western European Summer Time)
Detail views: 5
GitHub clicks: 7

## Safety Notice

OSRepos shares public repositories for knowledge and discovery only. Review source code, dependencies, licenses, and security implications before running or installing anything.

## Content

## Introduction

**Coraza WAF** (`corazawaf/coraza`) is an open-source, enterprise-grade Web Application Firewall (WAF) designed to protect your web applications with high performance. Written in Go, Coraza is compatible with ModSecurity SecLang rulesets and boasts 100% compatibility with the OWASP Core Rule Set (CRS) v4. This makes it a powerful and flexible solution for safeguarding against a wide array of web-based threats, including the OWASP Top Ten.

Key features of Coraza WAF include:
*   **Drop-in**: An alternative engine with partial compatibility with the OWASP ModSecurity Engine, supporting industry-standard SecLang rule sets.
*   **Security**: Runs the OWASP CRS v4 to protect against SQL Injection, Cross Site Scripting (XSS), PHP & Java Code Injection, and more.
*   **Extensible**: As a library, Coraza allows for custom integrations, audit loggers, persistence engines, operators, and actions.
*   **Performance**: Engineered to handle significant load with minimal performance impact, suitable for both large and small applications.
*   **Simplicity**: Designed for ease of understanding and modification, making it straightforward to extend with new functionality.
*   **Community**: An active community project that welcomes contributions and new ideas.

## Installation

Coraza WAF is primarily used as a Go library. To integrate it into your Go project, you need Go v1.22+ or a TinyGo compiler.

To add Coraza to your project, simply use `go get`:

bash
go get github.com/corazawaf/coraza/v3


Coraza can then be imported and used within your Go application to implement security middleware or integrate with existing web servers.

## Examples

Here's a basic example demonstrating how to initialize Coraza WAF and process a request with a simple rule:

go
package main

import (
	"fmt"

	"github.com/corazawaf/coraza/v3"
)

func main() {
	// First we initialize our waf and our seclang parser
	waf, err := coraza.NewWAF(coraza.NewWAFConfig().
		WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
	// Now we parse our rules
	if err != nil {
		fmt.Println(err)
	}

	// Then we create a transaction and assign some variables
	tx := waf.NewTransaction()
	defer func() {
		tx.ProcessLogging()
		tx.Close()
	}()
	tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)

	// Finally we process the request headers phase, which may return an interruption
	if it := tx.ProcessRequestHeaders(); it != nil {
		fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
	}
}



This example initializes a WAF instance with a rule that denies any request from any remote IP address, returning a 403 status. It then creates a transaction, processes connection details, and finally processes request headers, checking for any interruptions caused by the WAF rules.

## Why Use Coraza WAF?

Choosing Coraza WAF for your application security offers several compelling advantages:

*   **Robust Security with OWASP CRS**: By being 100% compatible with OWASP Core Rule Set v4, Coraza provides comprehensive protection against common and emerging web vulnerabilities, ensuring your applications are shielded from the OWASP Top Ten.
*   **High Performance**: Built in Go, Coraza is designed for speed and efficiency, allowing it to handle high traffic volumes without significantly impacting application performance.
*   **Flexibility and Extensibility**: Its library-first approach means Coraza can be deeply integrated into various Go applications and extended with custom logic, making it adaptable to specific security needs.
*   **ModSecurity Compatibility**: For those familiar with ModSecurity, Coraza offers a familiar ruleset language, easing the transition and leveraging existing knowledge and rule sets.
*   **Active Community and Development**: As an OWASP production project, Coraza benefits from an active community, ensuring continuous development, support, and security updates.

## Links

*   **GitHub Repository**: [https://github.com/corazawaf/coraza](https://github.com/corazawaf/coraza)
*   **Official Website**: [https://coraza.io](https://coraza.io)
*   **GitHub Discussions (Forum)**: [https://github.com/corazawaf/coraza/discussions](https://github.com/corazawaf/coraza/discussions)
*   **OWASP Slack Community**: [https://owasp.org/slack/invite](https://owasp.org/slack/invite)
*   **Coraza Playground**: [https://playground.coraza.io](https://playground.coraza.io)
*   **OWASP Core Rule Set**: [https://coreruleset.org](https://coreruleset.org)