ModSecurity was created in 2002-2003 by Ivan Ristic, a security researcher, as an open-source web application firewall module for Apache. It was the first open-source WAF to gain widespread adoption.
- 2003: First public release of ModSecurity
- 2004: Growing adoption in the web security community
- 2006: ModSecurity 2.0 with major architectural improvements
- 2008: Ivan Ristic joins Breach Security (later Trustwave)
In 2010, Ivan Ristic and the ModSecurity project joined Breach Security, which was later acquired by Trustwave and became SpiderLabs. This era brought:
- Professional development team
- OWASP Core Rule Set (CRS) project
- ModSecurity 3.0 (libmodsecurity)
- Nginx module development
In 2021, Trustwave donated ModSecurity to OWASP (Open Web Application Security Project), returning the project to community stewardship:
- 2021: ModSecurity becomes an OWASP project
- 2022: Continued development under OWASP governance
- 2023+: Active community maintenance and updates
| Year |
Version |
Notable Changes |
| 2003 |
1.0 |
Initial release for Apache |
| 2006 |
2.0 |
Major rewrite with enhanced features |
| 2013 |
2.7 |
Nginx module introduction |
| 2017 |
3.0 |
libmodsecurity for multi-platform support |
| 2021 |
3.x |
OWASP project |
- Written primarily in C
- Apache module architecture
- SecRules language for rule definition
- Limited to Apache web server
- Complete rewrite in C/C++
- Library-based architecture (libmodsecurity)
- Support for Apache, Nginx, IIS
- Improved performance and scalability
- API for integration
¶ Impact and Legacy
ModSecurity’s contributions to web security:
- Pioneered open-source WAF: First widely adopted open-source web application firewall
- Rule language: SecRules became the industry standard for WAF rules
- OWASP CRS: Core Rule Set provides protection
- Industry adoption: Integrated into many commercial WAF products
- Education: Helped establish web application security best practices
ModSecurity remains actively maintained:
- OWASP project: Community-governed development
- ModSecurity 2.x: Maintenance mode (Apache only)
- ModSecurity 3.x: Active development with multi-platform support
- OWASP CRS: Regular rule set updates
- Integration: Widely used in hosting and security products
| Feature |
ModSecurity |
BunkerWeb |
Coraza |
| First Release |
2003 |
2021 |
2021 |
| Language |
C/C++ |
Python/Lua |
Go |
| Configuration |
SecRules |
Web UI/Env vars |
YAML/Go |
| Web Server |
Apache/Nginx |
Nginx-based |
Caddy/Traefik |