Protecting the web with open source Web Application Firewalls
The OWASP WAF Projects unite three powerful open-source Web Application Firewall solutions under one community. Together, ModSecurity, Coraza, and the OWASP Core Rule Set (CRS) provide comprehensive protection for web applications worldwide.
![map[class:object-cover object-center src:images/home/hero/waf-security.png]](https://waf.owasp.org/images/home/hero/waf-security.png)
ModSecurity
Industry-leading WAF engine
Coraza
Next-gen Go-based WAF
Core Rule Set
Comprehensive detection rules
Open Community
Global collaboration
Three Projects, One Mission: Securing Web Applications
The OWASP WAF Projects family brings together the most trusted open-source Web Application Firewall solutions, united by a common goal of protecting web applications from attacks.
![map[class:aspect-square object-contain object-center w-[75%] src:images/home/features/modsecurity.png]](https://waf.owasp.org/images/home/features/modsecurity.png)
The Pioneer
Industry Standard WAF Engine
ModSecurity: The Original Open Source WAF
ModSecurity is the original open-source Web Application Firewall that has been protecting web applications since 2002. Known for its robustness and extensive deployment worldwide, ModSecurity provides a powerful rule-based engine compatible with Apache, Nginx, and IIS. It's the foundation that started the open-source WAF movement and continues to be a trusted solution for organizations of all sizes.
![map[class:aspect-square object-contain object-center w-[75%] src:images/home/features/coraza.png]](https://waf.owasp.org/images/home/features/coraza.png)
The Next Generation
Modern, Fast, and Cloud-Native
Coraza: Built for Modern Infrastructure
Coraza is a next-generation Web Application Firewall built from the ground up in Go, designed for modern cloud-native environments. With full ModSecurity compatibility, Coraza offers improved performance, easier deployment, and better integration with contemporary web architectures. It's the future of open-source WAF technology, bringing the power of ModSecurity to cloud-native applications with enhanced speed and efficiency.
![map[class:aspect-square object-contain object-center w-[75%] src:images/home/features/crs.png]](https://waf.owasp.org/images/home/features/crs.png)
The Intelligence
Comprehensive Attack Detection
OWASP CRS: The Rule Set That Powers Protection
The OWASP Core Rule Set (CRS) provides comprehensive, enterprise-grade attack detection rules that work seamlessly with both ModSecurity and Coraza. Maintained by a global community of security experts, CRS protects against OWASP Top 10 vulnerabilities and many other attack vectors. With continuous updates and extensive coverage, CRS is the intelligence layer that makes your WAF truly effective against modern threats.
Join Our Global Community
The OWASP WAF Projects are powered by a vibrant community of security professionals, developers, and enthusiasts from around the world. Whether you're a contributor, user, or just getting started with WAF technology, there's a place for you in our community. Connect with experts, share knowledge, and help shape the future of open-source web security.
Enterprise-Grade Security, Open Source Freedom
Our projects provide the same level of protection as commercial solutions, but with the transparency, flexibility, and community support that only open source can offer. Deployed by Fortune 500 companies and individual developers alike, OWASP WAF Projects deliver proven security without vendor lock-in or licensing costs.