{"id":13413772,"url":"https://github.com/corazawaf/coraza","last_synced_at":"2025-05-14T22:02:26.776Z","repository":{"id":37098580,"uuid":"267379172","full_name":"corazawaf/coraza","owner":"corazawaf","description":"OWASP Coraza WAF is a golang modsecurity compatible web application firewall library","archived":false,"fork":false,"pushed_at":"2025-05-06T05:56:51.000Z","size":30914,"stargazers_count":2636,"open_issues_count":97,"forks_count":257,"subscribers_count":36,"default_branch":"main","last_synced_at":"2025-05-07T21:13:14.228Z","etag":null,"topics":["coraza","coraza-waf","coreruleset","go","golang","hacktoberfest","http","modsecurity","owasp","owasp-crs","waf","web-application-firewall"],"latest_commit_sha":null,"homepage":"https://www.coraza.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/corazawaf.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":"https://owasp.org/donate/?reponame=www-project-coraza-web-application-firewall\u0026title=OWASP+Coraza+Web+Application+Firewall","github":"OWASP"}},"created_at":"2020-05-27T17:06:51.000Z","updated_at":"2025-05-07T20:13:09.000Z","dependencies_parsed_at":"2023-11-28T00:23:56.947Z","dependency_job_id":"4996aac0-c546-433b-a703-13d6f0786306","html_url":"https://github.com/corazawaf/coraza","commit_stats":{"total_commits":917,"total_committers":35,"mean_commits":26.2,"dds":0.7197382769901854,"last_synced_commit":"cbf0aa7f57983b9234efec9c84c1f723c7229cd6"},"previous_names":["jptosso/coraza","jptosso/coraza-waf"],"tags_count":38,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/corazawaf","download_url":"https://codeload.github.com/corazawaf/coraza/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254235685,"owners_count":22036962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["coraza","coraza-waf","coreruleset","go","golang","hacktoberfest","http","modsecurity","owasp","owasp-crs","waf","web-application-firewall"],"created_at":"2024-07-30T20:01:48.912Z","updated_at":"2025-05-14T22:02:26.725Z","avatar_url":"https://github.com/corazawaf.png","language":"Go","funding_links":["https://owasp.org/donate/?reponame=www-project-coraza-web-application-firewall\u0026title=OWASP+Coraza+Web+Application+Firewall","https://github.com/sponsors/OWASP"],"categories":["Go","Security","Uncategorized","OWASP Tools","安全","Security \u0026 Compliance","Repositories"],"sub_categories":["HTTP Clients","Uncategorized","WAF","WAF and Rule Sets","HTTP客户端"],"readme":"\u003ch1\u003e\n  \u003cimg src=\"https://coraza.io/images/logo_shield_only.png\" align=\"left\" height=\"46px\" alt=\"\"/\u003e\u0026nbsp;\n  \u003cspan\u003eCoraza - Web Application Firewall\u003c/span\u003e\n\u003c/h1\u003e\n\n[![Regression Tests](https://github.com/corazawaf/coraza/actions/workflows/regression.yml/badge.svg)](https://github.com/corazawaf/coraza/actions/workflows/regression.yml)\n[![Coreruleset Compatibility](https://img.shields.io/badge/Coreruleset%20Compatibility-100%25-brightgreen)](#)\n[![CodeQL](https://github.com/corazawaf/coraza/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/corazawaf/coraza/actions/workflows/codeql-analysis.yml)\n[![codecov](https://codecov.io/gh/corazawaf/coraza/branch/main/graph/badge.svg?token=6570804ZC7)](https://codecov.io/gh/corazawaf/coraza)\n[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)\n[![OWASP Production Project](https://img.shields.io/badge/owasp-production%20project-brightgreen)](https://owasp.org/www-project-coraza-web-application-firewall)\n[![GoDoc](https://godoc.org/github.com/corazawaf/coraza?status.svg)](https://godoc.org/github.com/corazawaf/coraza/v3)\n\nCoraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It is written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set v4.\n\n* Website: \u003chttps://coraza.io\u003e\n* Forum: [Github Discussions](https://github.com/corazawaf/coraza/discussions)\n* OWASP Slack Community (#coraza): \u003chttps://owasp.org/slack/invite\u003e\n* Rule testing: [Coraza Playground](https://playground.coraza.io)\n\n\u003cbr/\u003e\n\nKey Features:\n\n* ⇲ **Drop-in** - Coraza is an alternative engine that has partial compatibility with ~~Trustwave~~[OWASP ModSecurity Engine](https://github.com/owasp-modsecurity/modsecurity/) and supports industry-standard SecLang rule sets.\n\n* 🔥 **Security** -  Coraza runs the [OWASP CRS](https://coreruleset.org) **v4** (Formerly known as Core Rule Set) to protect your web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS protects from many common attack categories including: SQL Injection (SQLi), Cross Site Scripting (XSS), PHP \u0026 Java Code Injection, HTTPoxy, Shellshock, Scripting/Scanner/Bot Detection \u0026 Metadata \u0026 Error Leakages. Note that older versions of the CRS are not compatible.\n\n* 🔌 **Extensible** - Coraza is a library at its core, with many integrations to deploy on-premise Web Application Firewall instances. Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.\n\n* 🚀 **Performance** - From huge websites to small blogs, Coraza can handle the load with minimal performance impact. Check our [Benchmarks](https://coraza.io/docs/reference/benchmarks)\n\n* ﹡ **Simplicity** - Anyone is able to understand and modify the Coraza source code. It is easy to extend Coraza with new functionality.\n\n* 💬 **Community** - Coraza is a community project, contributions are accepted and all ideas will be considered. Find contributor guidance in the [CONTRIBUTION](https://github.com/corazawaf/coraza/blob/main/CONTRIBUTING.md) document.\n\n\u003cbr/\u003e\n\n## Integrations\n\nThe Coraza Project maintains implementations and plugins for the following servers:\n\n* [Caddy Reverse Proxy and Webserver Plugin](https://github.com/corazawaf/coraza-caddy) - stable, needs a maintainer\n* [Proxy WASM extension](https://github.com/corazawaf/coraza-proxy-wasm) for proxies with proxy-wasm support (e.g. Envoy) - stable, still under development\n* [HAProxy SPOE Plugin](https://github.com/corazawaf/coraza-spoa) - experimental\n* [Coraza C Library (For nginx, etc)](https://github.com/corazawaf/libcoraza) - experimental\n\n## Prerequisites\n\n* Go v1.22+ or tinygo compiler\n* Linux distribution (Debian or Centos recommended), Windows or Mac.\n\n## Coraza Core Usage\n\nCoraza can be used as a library for your Go program to implement a security middleware or integrate it with existing application \u0026 webservers.\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/corazawaf/coraza/v3\"\n)\n\nfunc main() {\n\t// First we initialize our waf and our seclang parser\n\twaf, err := coraza.NewWAF(coraza.NewWAFConfig().\n\t\tWithDirectives(`SecRule REMOTE_ADDR \"@rx .*\" \"id:1,phase:1,deny,status:403\"`))\n\t// Now we parse our rules\n\tif err != nil {\n\t\tfmt.Println(err)\n\t}\n\n\t// Then we create a transaction and assign some variables\n\ttx := waf.NewTransaction()\n\tdefer func() {\n\t\ttx.ProcessLogging()\n\t\ttx.Close()\n\t}()\n\ttx.ProcessConnection(\"127.0.0.1\", 8080, \"127.0.0.1\", 12345)\n\n\t// Finally we process the request headers phase, which may return an interruption\n\tif it := tx.ProcessRequestHeaders(); it != nil {\n\t\tfmt.Printf(\"Transaction was interrupted with status %d\\n\", it.Status)\n\t}\n}\n\n```\n\n[Examples/http-server](./examples/http-server/) provides an example to practice with Coraza.\n\n### Build tags\n\nGo build tags can tweak certain functionality at compile-time. These are for advanced use cases only and do not\nhave compatibility guarantees across minor versions - use with care.\n\n* `coraza.disabled_operators.*` - excludes the specified operator from compilation. Particularly useful if overriding\nthe operator with `plugins.RegisterOperator` to reduce binary size / startup overhead.\n* `coraza.rule.multiphase_evaluation` - enables evaluation of rule variables in the phases that they are ready, not\nonly the phase the rule is defined for.\n* `memoize_builders` - enables memoization of builders for regex and aho-corasick\ndictionaries to reduce memory consumption in deployments that launch several coraza\ninstances. For more context check [this issue](https://github.com/corazawaf/coraza-caddy/issues/76)\n* `no_fs_access` - indicates that the target environment has no access to FS in order to not leverage OS' filesystem related functionality e.g. file body buffers.\n* `coraza.rule.case_sensitive_args_keys` - enables case-sensitive matching for ARGS keys, aligning Coraza behavior with RFC 3986 specification. It will be enabled by default in the next major version.\n* `coraza.rule.no_regex_multiline` - disables enabling by default regexes multiline modifiers in `@rx` operator. It aligns with CRS expected behavior, reduces false positives and might improve performances. No multiline regexes by default will be enabled in the next major version. For more context check [this PR](https://github.com/corazawaf/coraza/pull/876)\n\n## E2E Testing\n\n[`http/e2e/`](./http/e2e) provides an utility to run e2e tests.\nIt can be used standalone against your own waf deployment:\n\n```shell\ngo run github.com/corazawaf/coraza/v3/http/e2e/cmd/httpe2e@main --proxy-hostport localhost:8080 --httpbin-hostport localhost:8081\n```\n\nor as a library by importing:\n\n```go\n\"github.com/corazawaf/coraza/v3/http/e2e\"\n```\n\nAs a reference for library usage, see [`testing/e2e/e2e_test.go`](./testing/e2e/e2e_test.go).\nExpected directives that have to be loaded and available flags can be found in [`http/e2e/cmd/httpe2e/main.go`](./http/e2e/cmd/httpe2e/main.go).\n\n## Tools\n\n* [Go FTW](https://github.com/coreruleset/go-ftw): Rule testing engine\n* [Coraza Playground](https://playground.coraza.io/): Sandbox rule testing web interface\n* [OWASP Core Ruleset](https://github.com/coreruleset/coreruleset/): Awesome rule set, compatible with Coraza\n\n## Development\n\nCoraza only requires Go for development. You can run `mage.go` to issue development commands.\n\nSee the list of commands\n\n```\n$ go run mage.go -l\nTargets:\n  check        runs lint and tests.\n  coverage     runs tests with coverage and race detector enabled.\n  doc          runs godoc, access at http://localhost:6060\n  format       formats code in this repository.\n  fuzz         runs fuzz tests\n  lint         verifies code quality.\n  precommit    installs a git hook to run check when committing\n  test         runs all tests.\n```\n\nFor example, to format your code before submission, run\n\n```shell\ngo run mage.go format\n```\n\n## Contribute\n\nContributions are welcome! Please refer to [CONTRIBUTING.md](./CONTRIBUTING.md) for guidance.\n\n## Security\n\nTo report a security issue, please follow [this link](https://github.com/corazawaf/coraza/security/advisories/new) and add a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.\n\nOur vulnerability management team will respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.\n\n## Thanks\n\n* OWASP Coreruleset team for the CRS and their help\n* Ivan Ristić for creating ModSecurity\n\n### Coraza on X/Twitter\n\n* [@corazaio](https://twitter.com/corazaio)\n\n## Donations\n\nFor donations, see [Donations site](https://owasp.org/donate/?reponame=www-project-coraza-web-application-firewall\u0026title=OWASP+Coraza+Web+Application+Firewall)\n\n## Thanks to all the people who have contributed\n\nFirst and foremost, huge thanks to [Juan Pablo Tosso](https://twitter.com/jptosso) for starting this project, and building an amazing community around Coraza!\n\nToday we have lots of amazing contributors, we could not have done this without you!\n\n\u003ca href=\"https://github.com/corazawaf/coraza/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=corazawaf/coraza\" /\u003e\n\u003c/a\u003e\n\nMade with [contrib.rocks](https://contrib.rocks).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcorazawaf%2Fcoraza","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza/lists"}