Overview
Coraza is an open source web application firewall maintained under the OWASP Foundation. Written in Go, it was designed as a modern, high-performance replacement for ModSecurity. The key design decision was full compatibility with ModSecurity's SecLang rule language, meaning existing ModSecurity rules and the OWASP Core Rule Set (CRS) work out of the box.
Unlike ModSecurity, which depends on C libraries and is tightly coupled to Apache or NGINX, Coraza is a pure Go library that can be embedded into any Go application or used as a plugin for modern reverse proxies. Official plugins exist for Caddy, Traefik, and HAProxy, making it straightforward to add WAF protection to existing infrastructure.
Coraza is particularly popular in Kubernetes environments where teams want WAF protection without the operational overhead of managing a separate security appliance. As a Go library, it can run as a sidecar, embedded in an ingress controller, or as middleware in a Go-based API gateway.
Ratings Breakdown
Key Features
ModSecurity Compatibility
Full compatibility with ModSecurity SecLang rule language. Existing ModSecurity rules and rule sets work without modification.
OWASP CRS Support
Native support for the OWASP Core Rule Set, providing protection against SQL injection, XSS, RCE, and other OWASP Top 10 threats.
Go Native
Pure Go implementation with no C dependencies. Embeddable as a library, usable as middleware, or deployable as a plugin for modern proxies.
Proxy Plugins
Official plugins for Caddy (coraza-caddy), Traefik, and HAProxy allow adding WAF protection with minimal configuration.
Kubernetes Ready
Lightweight enough to run as a sidecar or embedded in ingress controllers. Works with any Go-based K8s tooling.
Audit Logging
Detailed audit logging of blocked and flagged requests for security analysis and compliance reporting.
Pros & Cons
Pros
-
ModSecurity drop-in replacement
Existing ModSecurity rules work without changes. Teams can migrate from ModSecurity without rewriting their rule sets.
-
Modern architecture
Pure Go with no C dependencies means easier compilation, fewer security vulnerabilities in dependencies, and better cross-platform support.
-
OWASP backed
As an official OWASP project, Coraza benefits from community review, regular updates, and alignment with OWASP security standards.
-
Lightweight and embeddable
Can be used as a Go library, making it possible to embed WAF directly into applications or custom proxies.
-
Active development
Regular releases, growing contributor base, and responsive maintainers on GitHub.
Cons
-
Smaller community than ModSecurity
Despite growth, the community and ecosystem of tools around Coraza is still smaller than ModSecurity''s 20+ year ecosystem.
-
No commercial support
No official commercial support offering. Organizations needing SLAs must rely on community or third-party consultants.
-
Limited GUI
No built-in management dashboard or UI. Configuration is done through rule files and proxy configuration.
-
Newer project
Started in 2021, so less battle-tested in production than ModSecurity or commercial WAFs.
Pricing
Pricing model: Free and open source (Apache 2.0)
Open Source
Full WAF functionality, community supported
- ModSecurity SecLang compatible
- OWASP Core Rule Set support
- Caddy, Traefik, HAProxy plugins
- Embeddable Go library
- Community support via GitHub
Our Verdict
Coraza is the most promising ModSecurity successor in the open source WAF space. Full SecLang compatibility means migration is straightforward, while the modern Go implementation addresses many of ModSecurity's architectural limitations.
For teams already managing ModSecurity rules, Coraza offers a clear upgrade path. For new deployments on modern infrastructure (Caddy, Traefik, Kubernetes), it is arguably a better starting point than ModSecurity. The lack of commercial support is the main consideration for enterprise adoption.
Our verdict: The best open source WAF for modern infrastructure. If you are using ModSecurity and looking to modernize, or deploying WAF on Kubernetes, Coraza should be your first consideration.
CVE Coverage
Coraza Web Application Firewall can detect and block attacks matching 87K+ known CVEs based on its supported rule sets.
Coverage by Attack Type
Latest Blockable CVEs
| CVE | Severity |
|---|---|
| CVE-2026-4510 | MEDIUM |
| CVE-2026-4161 | MEDIUM |
| CVE-2026-4087 | MEDIUM |
| CVE-2026-4086 | MEDIUM |
| CVE-2026-4084 | MEDIUM |
| CVE-2026-4077 | MEDIUM |
| CVE-2026-4072 | MEDIUM |
| CVE-2026-4069 | MEDIUM |
| CVE-2026-4067 | MEDIUM |
| CVE-2026-4022 | MEDIUM |
Frequently Asked Questions
Can I use my existing ModSecurity rules with Coraza?
Yes. Coraza is fully compatible with ModSecurity's SecLang rule language. Your existing rules, including custom rules and the OWASP Core Rule Set, will work without modification. This makes migration from ModSecurity straightforward.
How does Coraza compare to ModSecurity?
Coraza is a modern reimplementation of the ModSecurity concept in Go. It supports the same rule language but has no C dependencies, better performance in many scenarios, and native support for modern proxies like Caddy and Traefik. ModSecurity has a larger ecosystem and longer track record, but its development has slowed since Trustwave transferred maintenance to the community.
Does Coraza work with NGINX?
Not directly as a module like ModSecurity (libmodsecurity + NGINX connector). However, you can run Coraza as a reverse proxy in front of NGINX using the Caddy or HAProxy plugins, or embed it in a Go-based proxy that sits before NGINX. For native NGINX integration, ModSecurity remains the more established option.
Ready to try Coraza Web Application Firewall?
Start with the free tier and upgrade as you grow.