Coraza was created in 2021-2022 as a modern, Go-based web application firewall library. It was designed to be a ModSecurity-compatible WAF that leverages Go’s performance and concurrency features.
¶ Development and OWASP Joining (2022-2023)
- 2022: Initial development and first releases
- 2023: Coraza joined OWASP as an official OWASP project
- 2023: First stable releases with OWASP CRS compatibility
¶ Growth and Adoption (2023-Present)
Coraza gained traction in the Go ecosystem and cloud-native environments:
- Integration with Caddy web server
- Compatibility with Traefik and other modern proxies
- Adoption in cloud-native and containerized environments
- Active development with regular releases
| Year |
Version |
Notable Changes |
| 2022 |
0.1 |
Initial development |
| 2023 |
1.0 |
First stable release |
| 2023 |
- |
OWASP project acceptance |
| 2024 |
2.x+ |
Continued development and adoption |
- Written in Go (Golang)
- Library-first architecture
- ModSecurity SecRules compatible
- OWASP Core Rule Set (CRS) compatible
- High-performance WAF engine
- Compatible with ModSecurity rules
- Cloud-native friendly
- Easy integration with Go applications
- Support for Caddy, Traefik, and other proxies
¶ Impact and Legacy
Coraza’s contributions to web security:
- Modern architecture: Built for cloud-native environments
- Go ecosystem: First major Go-based WAF library
- ModSecurity compatibility: Leverages existing rule ecosystem
- Performance: Benefits from Go’s concurrency model
- Integration: Easy to embed in Go applications
Coraza is actively developed:
- OWASP project: Community-governed development
- Active development: Regular releases and improvements
- Growing adoption: Increasing use in cloud-native deployments
- CRS compatibility: Full OWASP Core Rule Set support
| Feature |
Coraza |
ModSecurity |
BunkerWeb |
| Language |
Go |
C/C++ |
Python/Lua |
| First Release |
2022 |
2003 |
2021 |
| Architecture |
Library |
Module |
Full WAF |
| Integration |
Go apps, Caddy |
Apache, Nginx |
Nginx-based |
| License |
Apache-2.0 |
Apache-2.0 |
AGPL-3.0 |