• A lot of fixes
• 99% CRS compatibility
• Variable system rework and optimization
• Lot of lint fixes
• 90% coverage
• A few low level api changes

• Complete testing engine rework
• 96%+ crs compatibility
• Lots of bug fixes
• A lot of linter fixes

• Most external APIs removed
• Types were moved to the types package
• Variables were moved to the variables package
• Now the plugin engine is native and part of the core design
• New audit log plugins for writers and formatters
• New body processor plugins system

Added Content injection (prepend and append actions)

Added a lot of debug logs

Fixed variable parser

• Added JSON support using XPATH in replacement of JQ (yes, XPATH for JSON)
• Added Plugins, see https://coraza.io/docs/reference/extending/

First stable release 🎉

Welcome to the first stable release of Coraza Web Application Firewall. This version is highly stable and production ready. Fully compatible with OWASP CRS.

What is working

• Rules
• Directives
• Actions
• Operators
• Transformations
• Variables
• Interruptions
• Audit Logging

What is not working

• JSON body processor
• Persistent Collections

Important considerations

Most features require CGO enabled, libpcre and libinjection, if none of these are available, you won't have @detectXSS, @detectSQLi nor PCRE expressions (OWASP CRS compatibility)

This is the final release candidate, OWASP CRS compatibility is at 96,4%

We are almost there :D

v1.0 won't contain many changes, we are production ready.

Many small fixes and an important fix for default variables, now they are set properly.

This update fixes some logging issues and an important rule variable parser bug.

This is the most important release by now, CGO_ENABLED=1 is not mandatory anymore, you might disable CGO but you will lose some features, check the README for more inforamtion.

• CGO is not mandatory anymore
• Rule variable parser was completely rewritten
• A lot of bug fixes
• More error reporting for seclang
• Removed pcre-only tests
• New URL parsing for transactions
• Test engine api refactor

Beta 3 might be the last release candidate.

• Logs has been fixed
• A few important bug fixes
• Performance improvements

API is almost final, only a few tweaks and deletes are going to be made

What was added/fixed

• transformation bugs (fuzzed)
• some debug logs
• logrus was replaced with uber/zap
• a huge fix for request bodies

What is missing

• Persistent collections, they are going to be implemented for v1.1 or v1.2
• A few transformations
• Debug configuration
• More test coverage
• Benchmark tools
• Finish audit logging