Programming language: Go
License: Apache License 2.0
Tags: Security    

Coraza alternatives and similar packages

Based on the "Security" category.
Alternatively, view coraza alternatives based on common mentions on social networks and blogs.

Do you think we are missing an alternative of Coraza or a related project?

Add another 'Security' Package


  Coraza - Web Application Firewall

Regression Tests [Coreruleset Compatibility](#) CodeQL Coverage Project Status: Active โ€“ The project has reached a stable, usable state and is being actively developed. OWASP Lab Project GoDoc

Notice: Coraza v3 is on pre-alpha stage and APIs might change ! :warning:

Coraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set.

Key Features:

  • โ‡ฒ Drop-in - Coraza is a drop-in alternative to replace the soon to be abandoned Trustwave ModSecurity Engine and supports industry standard SecLang rule sets.

  • ๐Ÿ”ฅ Security - Coraza runs the OWASP Core Rule Set (CRS) to protect your web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS protects from many common attack categories including: SQL Injection (SQLi), Cross Site Scripting (XSS), PHP & Java Code Injection, HTTPoxy, Shellshock, Scripting/Scanner/Bot Detection & Metadata & Error Leakages.

  • ๐Ÿ”Œ Extensible - Coraza is a library at its core, with many integrations to deploy on-premise Web Application Firewall instances. Audit Loggers, persistence engines, operators, actions, create your own functionalities to extend Coraza as much as you want.

  • ๐Ÿš€ Performance - From huge websites to small blogs, Coraza can handle the load with minimal performance impact. Check our Benchmarks

  • ๏นก Simplicity - Anyone is able to understand and modify the Coraza source code. It is easy to extend Coraza with new functionality.

  • ๐Ÿ’ฌ Community - Coraza is a community project, contributions are accepted and all ideas will be considered. Find contributor guidance in the CONTRIBUTION document.


The Coraza Project maintains implementations and plugins for the following servers:



  • WASM scripts support
  • New rule language
  • GraphQL body processor
  • TinyGo support
  • libcoraza C exports


  • Golang compiler v1.18+
  • Linux distribution (Debian or Centos recommended) or Mac. Windows not supported yet.

Coraza Core Usage

Coraza can be used as a library for your Go program to implement a security middleware or integrate it with existing application & webservers.

package main

import (

func main() {
    // First we initialize our waf and our seclang parser
    waf, err := coraza.NewWAF(coraza.NewWAFConfig().
        WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
    // Now we parse our rules
    if err != nil {

    // Then we create a transaction and assign some variables
    tx := waf.NewTransaction()
    defer func() {
    tx.ProcessConnection("", 8080, "", 12345)

    // Finally we process the request headers phase, which may return an interruption
    if it := tx.ProcessRequestHeaders(); it != nil {
        fmt.Printf("Transaction was interrupted with status %d\n", it.Status)

[Examples/http-server](./examples/http-server/) provides an example to practice with Coraza.



Coraza only requires Go for development. You can run mage.go to issue development commands.

See the list of commands

go run mage.go -l

For example, to format your code before submission, run

go run mage.go format


Contributions are welcome! Please refer to [CONTRIBUTING.md](./CONTRIBUTING.md) for guidance.


  • Modsecurity team for creating ModSecurity
  • OWASP Coreruleset team for the CRS and their help

Companies using Coraza

Author on Twitter


For donations, see Donations site

Thanks to all the people who have contributed

We could not have done this without you!

Made with contrib.rocks.