About OWASP Coraza Web Application Firewall
Try OWASP Coraza
Try OWASP Coraza using https://coreruleset.org/docs/development/sandbox/ or the Coraza Playground.
curl -H "x-format-output: txt-matched-rules" \
-H "x-backend: coraza-caddy" \
"https://sandbox.coreruleset.org/?search="
Take control of your applications
Control your requests and response before processing by your server or your customer’s browser by submitting the content to our 4 “phase processors.”
Parse multiple content types, like XML, JSON, Multipart, and urlencoded, and don’t miss anything. Coraza can transform all of this into easily manageable variables.
Extend OWASP Coraza to achieve anything; our plugin framework allows you to extend any capability, like operators, actions, directives, body processors, and audit engines.
Don’t miss anything; log everything you need in order to achieve compliance and complete visibility of your applications.
Documentation
We have extensive documentation on integration, directives supported and additional usage patterns.
Licensing
OWASP Coraza Web Application Firewall is free to use. It is licensed under the Apache Software License version 2 (ASLv2), so you can copy, distribute and transmit the work, and you can adapt it and use it commercially. Still, all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Project Information
OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.
© 2026, OWASP Foundation Inc. All rights reserved.