XUtils

Coraza

Enterprise-ready, modsecurity and OWASP CRS compatible WAF library.

Golang
https://github.com/corazawaf/coraza

Prerequisites

  • Go v1.20+ or tinygo compiler
  • Linux distribution (Debian or Centos recommended), Windows or Mac.

Build tags

Go build tags can tweak certain functionality at compile-time. These are for advanced use cases only and do not have compatibility guarantees across minor versions - use with care.

  • coraza.disabled_operators.* - excludes the specified operator from compilation. Particularly useful if overriding the operator with plugins.RegisterOperator to reduce binary size / startup overhead.
  • coraza.rule.multiphase_valuation - enables evaluation of rule variables in the phases that they are ready, not only the phase the rule is defined for.
  • memoize_builders - enables memoization of builders for regex and aho-corasick dictionaries to reduce memory consumption in deployments that launch several coraza instances. For more context check this issue
  • no_fs_access - indicates that the target environment has no access to FS in order to not leverage OS’ filesystem related functionality e.g. file body buffers.
  • coraza.rule.case_sensitive_args_keys - enables case-sensitive matching for ARGS keys, aligning Coraza behavior with RFC 3986 specification. It will be enabled by default in the next major version.

Tools

Development

Coraza only requires Go for development. You can run mage.go to issue development commands.

See the list of commands

$ go run mage.go -l
Targets:
  check        runs lint and tests.
  coverage     runs tests with coverage and race detector enabled.
  doc          runs godoc, access at http://localhost:6060
  format       formats code in this repository.
  fuzz         runs fuzz tests
  lint         verifies code quality.
  precommit    installs a git hook to run check when committing
  test         runs all tests.

For example, to format your code before submission, run

go run mage.go format

Security

To report a security issue, please follow this link and add a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

Our vulnerability management team will respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.

Thanks

  • OWASP Coreruleset team for the CRS and their help
  • Ivan Ristić for creating ModSecurity

Coraza on Twitter

Thanks to all the people who have contributed

First and foremost, huge thanks to Juan Pablo Tosso for starting this project, and building an amazing community around Coraza!

Today we have lots of amazing contributors, we could not have done this without you!

Made with contrib.rocks.

Articles

  • coming soon...