Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/corazawaf/coraza
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://github.com/corazawaf/coraza
coraza coraza-waf coreruleset go golang hacktoberfest http modsecurity owasp owasp-crs waf web-application-firewall
Last synced: 4 days ago
JSON representation
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
- Host: GitHub
- URL: https://github.com/corazawaf/coraza
- Owner: corazawaf
- License: apache-2.0
- Created: 2020-05-27T17:06:51.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2024-11-20T00:43:47.000Z (23 days ago)
- Last Synced: 2024-11-20T01:28:15.849Z (23 days ago)
- Topics: coraza, coraza-waf, coreruleset, go, golang, hacktoberfest, http, modsecurity, owasp, owasp-crs, waf, web-application-firewall
- Language: Go
- Homepage: https://www.coraza.io
- Size: 29.4 MB
- Stars: 2,266
- Watchers: 34
- Forks: 225
- Open Issues: 77
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-go - Coraza - Enterprise-ready, modsecurity and OWASP CRS compatible WAF library. (Security / HTTP Clients)
- zero-alloc-awesome-go - Coraza - Enterprise-ready, modsecurity and OWASP CRS compatible WAF library. (Security / HTTP Clients)
- awesome-repositories - corazawaf/coraza - OWASP Coraza WAF is a golang modsecurity compatible web application firewall library (Go)
- awesome-tools - coraza - OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. (Security / WAF)
- awesome-go - Coraza - Enterprise-ready, modsecurity and OWASP CRS compatible WAF library. Stars:`2.3K`. (Security / HTTP Clients)
- awesome-golang-repositories - coraza
- awesome-go-extra - coraza - 05-27T17:06:51Z|2022-08-25T11:44:43Z| (Security / HTTP Clients)
- awesome-hacking-lists - corazawaf/coraza - OWASP Coraza WAF is a golang modsecurity compatible web application firewall library (Go)
README
Β
Coraza - Web Application Firewall[![Regression Tests](https://github.com/corazawaf/coraza/actions/workflows/regression.yml/badge.svg)](https://github.com/corazawaf/coraza/actions/workflows/regression.yml)
[![Coreruleset Compatibility](https://img.shields.io/badge/Coreruleset%20Compatibility-100%25-brightgreen)](#)
[![CodeQL](https://github.com/corazawaf/coraza/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/corazawaf/coraza/actions/workflows/codeql-analysis.yml)
[![codecov](https://codecov.io/gh/corazawaf/coraza/branch/main/graph/badge.svg?token=6570804ZC7)](https://codecov.io/gh/corazawaf/coraza)
[![Project Status: Active β The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
[![OWASP Production Project](https://img.shields.io/badge/owasp-production%20project-brightgreen)](https://owasp.org/www-project-coraza-web-application-firewall)
[![GoDoc](https://godoc.org/github.com/corazawaf/coraza?status.svg)](https://godoc.org/github.com/corazawaf/coraza/v3)Coraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It is written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set v4.
* Website:
* Forum: [Github Discussions](https://github.com/corazawaf/coraza/discussions)
* OWASP Slack Community (#coraza):
* Rule testing: [Coraza Playground](https://playground.coraza.io)
Key Features:
* β² **Drop-in** - Coraza is an alternative engine that has partial compatibility with ~~Trustwave~~[OWASP ModSecurity Engine](https://github.com/owasp-modsecurity/modsecurity/) and supports industry-standard SecLang rule sets.
* π₯ **Security** - Coraza runs the [OWASP CRS](https://coreruleset.org) **v4** (Formerly known as Core Rule Set) to protect your web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS protects from many common attack categories including: SQL Injection (SQLi), Cross Site Scripting (XSS), PHP & Java Code Injection, HTTPoxy, Shellshock, Scripting/Scanner/Bot Detection & Metadata & Error Leakages. Note that older versions of the CRS are not compatible.
* π **Extensible** - Coraza is a library at its core, with many integrations to deploy on-premise Web Application Firewall instances. Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.
* π **Performance** - From huge websites to small blogs, Coraza can handle the load with minimal performance impact. Check our [Benchmarks](https://coraza.io/docs/reference/benchmarks)
* οΉ‘ **Simplicity** - Anyone is able to understand and modify the Coraza source code. It is easy to extend Coraza with new functionality.
* π¬ **Community** - Coraza is a community project, contributions are accepted and all ideas will be considered. Find contributor guidance in the [CONTRIBUTION](https://github.com/corazawaf/coraza/blob/main/CONTRIBUTING.md) document.
## Integrations
The Coraza Project maintains implementations and plugins for the following servers:
* [Caddy Reverse Proxy and Webserver Plugin](https://github.com/corazawaf/coraza-caddy) - stable, needs a maintainer
* [Proxy WASM extension](https://github.com/corazawaf/coraza-proxy-wasm) for proxies with proxy-wasm support (e.g. Envoy) - stable, still under development
* [HAProxy SPOE Plugin](https://github.com/corazawaf/coraza-spoa) - experimental
* [Coraza C Library (For nginx, etc)](https://github.com/corazawaf/libcoraza) - experimental## Prerequisites
* Go v1.22+ or tinygo compiler
* Linux distribution (Debian or Centos recommended), Windows or Mac.## Coraza Core Usage
Coraza can be used as a library for your Go program to implement a security middleware or integrate it with existing application & webservers.
```go
package mainimport (
"fmt""github.com/corazawaf/coraza/v3"
)func main() {
// First we initialize our waf and our seclang parser
waf, err := coraza.NewWAF(coraza.NewWAFConfig().
WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
// Now we parse our rules
if err != nil {
fmt.Println(err)
}// Then we create a transaction and assign some variables
tx := waf.NewTransaction()
defer func() {
tx.ProcessLogging()
tx.Close()
}()
tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)// Finally we process the request headers phase, which may return an interruption
if it := tx.ProcessRequestHeaders(); it != nil {
fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
}
}```
[Examples/http-server](./examples/http-server/) provides an example to practice with Coraza.
### Build tags
Go build tags can tweak certain functionality at compile-time. These are for advanced use cases only and do not
have compatibility guarantees across minor versions - use with care.* `coraza.disabled_operators.*` - excludes the specified operator from compilation. Particularly useful if overriding
the operator with `plugins.RegisterOperator` to reduce binary size / startup overhead.
* `coraza.rule.multiphase_valuation` - enables evaluation of rule variables in the phases that they are ready, not
only the phase the rule is defined for.
* `memoize_builders` - enables memoization of builders for regex and aho-corasick
dictionaries to reduce memory consumption in deployments that launch several coraza
instances. For more context check [this issue](https://github.com/corazawaf/coraza-caddy/issues/76)
* `no_fs_access` - indicates that the target environment has no access to FS in order to not leverage OS' filesystem related functionality e.g. file body buffers.
* `coraza.rule.case_sensitive_args_keys` - enables case-sensitive matching for ARGS keys, aligning Coraza behavior with RFC 3986 specification. It will be enabled by default in the next major version.
* `coraza.rule.no_regex_multiline` - disables enabling by default regexes multiline modifiers in `@rx` operator. It aligns with CRS expected behavior, reduces false positives and might improve performances. No multiline regexes by default will be enabled in the next major version. For more context check [this PR](https://github.com/corazawaf/coraza/pull/876)## E2E Testing
[`http/e2e/`](./http/e2e) provides an utility to run e2e tests.
It can be used standalone against your own waf deployment:```shell
go run github.com/corazawaf/coraza/v3/http/e2e/cmd/httpe2e@main --proxy-hostport localhost:8080 --httpbin-hostport localhost:8081
```or as a library by importing:
```go
"github.com/corazawaf/coraza/v3/http/e2e"
```As a reference for library usage, see [`testing/e2e/e2e_test.go`](./testing/e2e/e2e_test.go).
Expected directives that have to be loaded and available flags can be found in [`http/e2e/cmd/httpe2e/main.go`](./http/e2e/cmd/httpe2e/main.go).## Tools
* [Go FTW](https://github.com/coreruleset/go-ftw): Rule testing engine
* [Coraza Playground](https://playground.coraza.io/): Sandbox rule testing web interface
* [OWASP Core Ruleset](https://github.com/coreruleset/coreruleset/): Awesome rule set, compatible with Coraza## Development
Coraza only requires Go for development. You can run `mage.go` to issue development commands.
See the list of commands
```
$ go run mage.go -l
Targets:
check runs lint and tests.
coverage runs tests with coverage and race detector enabled.
doc runs godoc, access at http://localhost:6060
format formats code in this repository.
fuzz runs fuzz tests
lint verifies code quality.
precommit installs a git hook to run check when committing
test runs all tests.
```For example, to format your code before submission, run
```shell
go run mage.go format
```## Contribute
Contributions are welcome! Please refer to [CONTRIBUTING.md](./CONTRIBUTING.md) for guidance.
## Security
To report a security issue, please follow [this link](https://github.com/corazawaf/coraza/security/advisories/new) and add a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
Our vulnerability management team will respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.
## Thanks
* OWASP Coreruleset team for the CRS and their help
* Ivan RistiΔ for creating ModSecurity### Coraza on X/Twitter
* [@corazaio](https://twitter.com/corazaio)
## Donations
For donations, see [Donations site](https://owasp.org/donate/?reponame=www-project-coraza-web-application-firewall&title=OWASP+Coraza+Web+Application+Firewall)
## Thanks to all the people who have contributed
First and foremost, huge thanks to [Juan Pablo Tosso](https://twitter.com/jptosso) for starting this project, and building an amazing community around Coraza!
Today we have lots of amazing contributors, we could not have done this without you!
Made with [contrib.rocks](https://contrib.rocks).