Skip to main content

Protect your applications with Coraza WAF

A high-performance reverse proxy with built-in Web Application Firewall powered by Coraza and OWASP Core Rule Set. Defend against SQL injection, XSS, RCE, and more.

Get StartedView Deployment Guide

Get started in minutes

Deploy enterprise-grade web application security in three simple steps

1

Pull the Docker image

Build the Coraza Proxy container from source or use a pre-built image:
git clone https://github.com/alexperezortuno/go-coraza.git
cd go-coraza
docker build -t coraza-proxy:latest .
The image includes Coraza WAF engine and OWASP Core Rule Set v4.
2

Configure your backends

Set up environment variables to define your backend services and protection rules:
export BACKENDS='{"api.example.com":["api-server:8080"],"web.example.com":["web-server:80"]}'
export PROXY_APIS_HOSTS=api.example.com
export PROXY_WEB_HOSTS=web.example.com
export PROXY_RATE_LIMIT=100
export PROXY_RATE_BURST=200
  • BACKENDS: JSON map of hostnames to backend server addresses
  • PROXY_APIS_HOSTS: Comma-separated list of API hosts (uses PL2 protection profile)
  • PROXY_WEB_HOSTS: Comma-separated list of web hosts (uses PL1 protection profile)
  • PROXY_RATE_LIMIT: Requests per second per IP
  • PROXY_RATE_BURST: Maximum burst size for rate limiting
  • GEO_BLOCK_ENABLED: Enable GeoIP filtering (true/false)
  • PROXY_BLOCK_BOTS: Block known bots (true/false)
3

Start the proxy

Launch Coraza Proxy and start protecting your applications:
docker run -d -p 8081:8081 \\
  -e BACKENDS='{"api.example.com":["api-server:8080"]}' \\
  -e PROXY_APIS_HOSTS=api.example.com \\
  -e PROXY_RATE_LIMIT=100 \\
  coraza-proxy:latest
Your applications are now protected. Test with a malicious request:
curl "http://localhost:8081/" -H "Host: api.example.com" \\
  --data-urlencode "q=1' OR '1'='1"
The request above contains SQL injection and will be blocked by Coraza WAF with a 403 Forbidden response.

Key features

Everything you need to secure your web applications and APIs

WAF protection

Powered by Coraza WAF and OWASP Core Rule Set with separate profiles for APIs (PL2) and websites (PL1)

Rate limiting

Per-IP rate limiting with configurable burst sizes and automatic cleanup of inactive visitors

GeoIP filtering

Allow or block traffic based on country codes using MaxMind GeoIP2 database

Bot detection

Identify and block malicious bots while allowing legitimate crawlers

Multi-backend routing

Load balance across multiple backend servers with path-based routing support

Attack detection

Detect and block SQL injection, XSS, RCE, LFI, and OWASP Top 10 vulnerabilities

Explore the documentation

Learn how to deploy, configure, and operate Coraza Proxy

Deployment guide

Deploy with Docker, Docker Compose, or Kubernetes. Production-ready configurations included.

View deployment options

Configuration reference

Complete guide to backends, WAF rules, rate limiting, GeoIP blocking, and bot detection.

Browse configuration

Security testing

Test WAF protection with real attack payloads. Verify SQLi, XSS, RCE, and LFI detection.

View test cases

API reference

Complete reference for all environment variables, core functions, and internal APIs.

Explore API docs

Ready to secure your applications?

Deploy Coraza Proxy in minutes and protect your web applications and APIs from OWASP Top 10 vulnerabilities.

Get StartedView on GitHub