coraza v3.1 releases: OWASP Coraza Web Application Firewall
OWASP Coraza Web Application Firewall
Welcome to OWASP Coraza WAF, Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset.
Coraza v2 differences with v1
- Full internal API refactor, public API has not changed
- Full audit engine refactor with plugins support
- New enhanced plugins interface for transformations, actions, body processors, and operators
- We are fully compliant with Seclang from modsecurity v2
- Many features were removed and transformed into plugins: XML (Mostly), GeoIP, and PCRE regex
- Better debug logging
- New error logging (like modsecurity)
Why Coraza WAF?
Philosophy
- Simplicity: Anyone should be able to understand and modify Coraza WAF’s source code
- Extensibility: It should be easy to extend Coraza WAF with new functionalities
- Innovation: Coraza WAF isn’t just a ModSecurity port. It must include awesome new functions (in the meantime, it’s just a port 😅)
- Community: Coraza WAF is a community project, and all ideas will be considered
Changelog v3.1
- chore: improve GetField logic by @jptosso in #897
- chore: setvar minor fix, tests, added warning when missing variable, deprecates usage of tx.LogData by @M4tteoP in #892
- chore: fixes audit log. by @jcchavezs in #889
- fix
http.Flusher
andio.ReaderFrom
implementation by @romainmenke in #923 - fix: stack overflow in
ReadFrom
by @romainmenke in #925 - fix: Disables implicit Cookies url decoding by @M4tteoP in #928
- feat: add uppercase transformation by @blotus in #935
- fix: parse multiple cookies with spaces by @fzipi in #943
- fix: more forgiving base64 transformation [custom implementation] by @M4tteoP in #944
- fix: filling variables struct to complete audit info by @CArellanoOrbik in #968
- feat: adds context to transaction. by @jcchavezs in #963
- feat: improves logging. by @jcchavezs in #971
- feat: add raw body processor by @blotus in #983
- chore: updates CRS tests to CRS 4.0.0-rc2 by @M4tteoP in #899
- fix(seclang): merge chained raw rules by @jptosso in #985
- fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests by @M4tteoP in #895
- chore: Go 1.20 as minimum supported version by @jcchavezs in #996
- chore: upgrades go-ftw to 0.6.4. by @jcchavezs in #998
Install & Use
Copyright 2021 Juan Pablo Tosso