Overview
Coraza is an open source web application firewall maintained under the OWASP Foundation. Written in Go, it was designed as a modern, high-performance replacement for ModSecurity. The key design decision was full compatibility with ModSecurity's SecLang rule language, meaning existing ModSecurity rules and the OWASP Core Rule Set (CRS) work out of the box.
Unlike ModSecurity, which depends on C libraries and is tightly coupled to Apache or NGINX, Coraza is a pure Go library that can be embedded into any Go application or used as a plugin for modern reverse proxies. Official plugins exist for Caddy, Traefik, and HAProxy, making it straightforward to add WAF protection to existing infrastructure.
Coraza is particularly popular in Kubernetes environments where teams want WAF protection without the operational overhead of managing a separate security appliance. As a Go library, it can run as a sidecar, embedded in an ingress controller, or as middleware in a Go-based API gateway.
Ratings Breakdown
Key Features
ModSecurity Compatibility
Full compatibility with ModSecurity SecLang rule language. Existing ModSecurity rules and rule sets work without modification.
OWASP CRS Support
Native support for the OWASP Core Rule Set, providing protection against SQL injection, XSS, RCE, and other OWASP Top 10 threats.
Go Native
Pure Go implementation with no C dependencies. Embeddable as a library, usable as middleware, or deployable as a plugin for modern proxies.
Proxy Plugins
Official plugins for Caddy (coraza-caddy), Traefik, and HAProxy allow adding WAF protection with minimal configuration.
Kubernetes Ready
Lightweight enough to run as a sidecar or embedded in ingress controllers. Works with any Go-based K8s tooling.
Audit Logging
Detailed audit logging of blocked and flagged requests for security analysis and compliance reporting.
Pros & Cons
Pros
-
ModSecurity drop-in replacement
Existing ModSecurity rules work without changes. Teams can migrate from ModSecurity without rewriting their rule sets.
-
Modern architecture
Pure Go with no C dependencies means easier compilation, fewer security vulnerabilities in dependencies, and better cross-platform support.
-
OWASP backed
As an official OWASP project, Coraza benefits from community review, regular updates, and alignment with OWASP security standards.
-
Lightweight and embeddable
Can be used as a Go library, making it possible to embed WAF directly into applications or custom proxies.
-
Active development
Regular releases, growing contributor base, and responsive maintainers on GitHub.
Cons
-
Smaller community than ModSecurity
Despite growth, the community and ecosystem of tools around Coraza is still smaller than ModSecurity''s 20+ year ecosystem.
-
No commercial support
No official commercial support offering. Organizations needing SLAs must rely on community or third-party consultants.
-
Limited GUI
No built-in management dashboard or UI. Configuration is done through rule files and proxy configuration.
-
Newer project
Started in 2021, so less battle-tested in production than ModSecurity or commercial WAFs.
Pricing
Pricing model: Free and open source (Apache 2.0)
Open Source
Full WAF functionality, community supported
- ModSecurity SecLang compatible
- OWASP Core Rule Set support
- Caddy, Traefik, HAProxy plugins
- Embeddable Go library
- Community support via GitHub
Our Verdict
Coraza is the most promising ModSecurity successor in the open source WAF space. Full SecLang compatibility means migration is straightforward, while the modern Go implementation addresses many of ModSecurity's architectural limitations.
For teams already managing ModSecurity rules, Coraza offers a clear upgrade path. For new deployments on modern infrastructure (Caddy, Traefik, Kubernetes), it is arguably a better starting point than ModSecurity. The lack of commercial support is the main consideration for enterprise adoption.
Our verdict: The best open source WAF for modern infrastructure. If you are using ModSecurity and looking to modernize, or deploying WAF on Kubernetes, Coraza should be your first consideration.
CVE Coverage
Coraza Web Application Firewall can detect and block attacks matching 111K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-49294 | UNKNOWN |
| CVE-2026-20262 | MEDIUM |
| CVE-2026-9863 | UNKNOWN |
| CVE-2026-9862 | UNKNOWN |
| CVE-2025-15659 | UNKNOWN |
| CVE-2025-15658 | UNKNOWN |
| CVE-2026-52704 | UNKNOWN |
| CVE-2019-25746 | HIGH |
| CVE-2018-25436 | CRITICAL |
| CVE-2016-20084 | HIGH |
Frequently Asked Questions
Can I use my existing ModSecurity rules with Coraza?
Yes. Coraza is fully compatible with ModSecurity's SecLang rule language. Your existing rules, including custom rules and the OWASP Core Rule Set, will work without modification. This makes migration from ModSecurity straightforward.
How does Coraza compare to ModSecurity?
Coraza is a modern reimplementation of the ModSecurity concept in Go. It supports the same rule language but has no C dependencies, better performance in many scenarios, and native support for modern proxies like Caddy and Traefik. ModSecurity has a larger ecosystem and longer track record, but its development has slowed since Trustwave transferred maintenance to the community.
Does Coraza work with Nginx?
Coraza does not have a native Nginx module like ModSecurity does (libmodsecurity + the ModSecurity-nginx connector). There are a few ways to use Coraza with Nginx-based setups:
- Run Caddy with the coraza-caddy plugin as a reverse proxy in front of Nginx
- Use HAProxy with the coraza-spoa plugin in front of Nginx
- In Kubernetes, use Envoy with the coraza-proxy-wasm filter as your ingress instead of Nginx
- There is an experimental coraza-apache module, but no stable Nginx equivalent yet
If you specifically need a WAF module running inside Nginx, ModSecurity is still the better choice for that use case. If you are flexible about your proxy layer, Coraza with Caddy is the most common and best-supported option.
How do I use Coraza with HAProxy?
Coraza integrates with HAProxy through the coraza-spoa plugin, which uses HAProxy's Stream Processing Offload Agent (SPOA) protocol. The WAF runs as a separate process that HAProxy forwards requests to for inspection. This is currently in preview status. Setup involves running the coraza-spoa binary alongside HAProxy and configuring HAProxy to send traffic through the SPOE filter. Your CRS rules and custom SecLang rules work the same way as with any other Coraza integration.
Can I run Coraza on Kubernetes?
Yes, and Kubernetes is one of Coraza's strongest deployment targets. Common approaches:
- Use the coraza-caddy plugin in a Caddy-based ingress controller
- Deploy coraza-proxy-wasm as a filter in Envoy-based service meshes (Istio, Envoy Gateway)
- Embed Coraza as a Go library in a custom ingress or API gateway
- Run it as a sidecar container alongside your application pods
Because Coraza is a pure Go library with no C dependencies, it compiles into a single binary that is easy to containerize. There are no shared library or build-tool dependencies to manage in your container images.
Does Coraza have a management dashboard or GUI?
No. Coraza is a WAF engine library, not a managed platform. All configuration is done through SecLang rule files and proxy configuration (Caddy, HAProxy, etc.). There is no built-in web UI for managing rules or viewing blocked requests. For visibility, you can send Coraza audit logs to tools like the ELK stack, Grafana, or any SIEM that accepts JSON logs. If you need a GUI-based WAF management experience, look at commercial WAFs or projects like BunkerWeb that wrap ModSecurity/CRS with a web interface.
Ready to try Coraza Web Application Firewall?
Start with the free tier and upgrade as you grow.