Tools/corazawaf/coraza

coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library

3.6kemergingGoApache License 2.0

The Lens

Coraza is a web application firewall engine: it inspects HTTP requests for SQL injection, XSS, and the rest of the attack alphabet before they reach your app. It's an OWASP project written in Go, fully compatible with ModSecurity's rule language and the OWASP Core Rule Set, and free under Apache 2.0.

You don't run Coraza by itself; you embed it in a proxy. The mature paths are a Caddy build with the Coraza plugin or Envoy via proxy-wasm, then loading the Core Rule Set. The install is the easy half. The work is tuning: every real application trips false positives until you've spent quality time with exclusion rules.

Solo and small teams wanting an appliance with a dashboard should use chaitin/SafeLine instead; Coraza has no UI. Platform and infrastructure teams get exactly what they want here: a maintained, embeddable WAF engine without betting on ModSecurity, whose corporate support ended and left it in maintenance mode.

The catch: a WAF engine without tuned rules is a false-positive machine. Run it in detection-only mode against production traffic before you even think about blocking.

Free vs Self-Hosted vs Paid

fully free

Free Tier (Everything)

The engine, Apache 2.0. SecLang rule compatibility, OWASP Core Rule Set support, Caddy plugin, Envoy/proxy-wasm connector, HTTP interceptor for Go apps. The Core Rule Set itself is also free.

Self-Hosted Setup

Coraza is a library, so deployment means building it into your edge: compile a Caddy binary with the plugin, wire proxy-wasm into Envoy/Istio, or embed it in a Go service. That part is hours. Rule tuning is the real cost: weeks of detection-only mode, reviewing logs, and writing exclusions before blocking mode is safe on a real app.

Paid Tier

None from the project. Commercial WAFs (Cloudflare at $20-200+/mo, AWS WAF usage-based) are the alternative you're avoiding.

The Math

Cloudflare WAF on the Pro plan is $20/mo and zero ops. Coraza is $0 plus real engineering time up front. The equation flips when you need WAF logic inside your own infrastructure: no traffic through a third party, no per-request pricing, rules you fully control.

Verdict

Free and maintained where ModSecurity stalled. Worth it for infrastructure teams; everyone else should buy the managed WAF.

Free WAF engine with no paid tier. You pay in tuning time, not dollars.

Self-hosting ops:significant

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Similar Tools

Score
57/100 · C+
Adoption17/30
Maintenance10/25
Community5/20
License15/15
Analysis10/10

License: Apache License 2.0

Use freely. Patent grant included.

Commercial use: ✓ Yes

About

Owner
Coraza Web Application Firewall (Organization)
Stars
3,623
Forks
331

Explore Further

More tools in the directory