coraza-waf

Code

Type go

Version 0.4.0-dev

Envoy Version >= 1.37.0

Author Tetrate

License Apache-2.0

Web Application Firewall (WAF) for HTTP traffic using Coraza

About

A Web Application Firewall (WAF) HTTP filter plugin that provides layer 7 security for web applications using the Coraza WAF engine.

Features

This plugin provides comprehensive web application security:

OWASP ModSecurity Core Rule Set (CRS): Built-in protection against common web attacks
Request inspection: Analyzes HTTP requests for malicious patterns and anomalies
Response inspection: Examines HTTP responses to prevent data leakage
Flexible rule engine: Supports custom security rules and policies
Multiple operation modes: Detection-only or active blocking modes
Detailed logging: Comprehensive audit logging of security events

Packaging

This is the embedded version of the plugin, compiled directly into the Composer dynamic module binary. This approach guarantees Go runtime compatibility since the plugin and host are built together with the same toolchain and dependencies.

Security Rules

The WAF comes with support for OWASP ModSecurity Core Rule Set (CRS) and allows custom rule configuration for specific security requirements.

Usage Examples

SQL Injection Protection

The following example demonstrates how to run the WAF plugin with recommended OWASP CRS rules and test SQL injection protection by sending a malicious payload that should be blocked by the WAF.

By default WAF is configured in DetectionOnly mode, which means it will only log detected attacks without blocking them. To enable active blocking, this example sets SecRuleEngine On in the configuration. It also sets SecResponseBodyAccess Off to disable response body inspection as it's not needed for hte example.

# Start WAF with recommended OWASP CRS rules and enforcement enabled
boe run --extension coraza-waf --config '
  {
    "directives": [
      "Include @recommended.conf",
      "SecRuleEngine On",
      "SecResponseBodyAccess Off",
      "Include @crs-setup.conf",
      "Include @owasp_crs/*.conf"
    ]
  }'

# Try sending a SQL injection payload and see the request rejected
curl -v http://localhost:10000/post -X POST --data "1%27%20ORDER%20BY%203--%2B"

< HTTP/1.1 403 Forbidden
< content-length: 22
< content-type: text/plain
< date: Thu, 12 Feb 2026 10:28:16 GMT
< server: envoy
<
Request blocked by WAF