Bad WAF rules break production. We built a tool to catch them first.
Key Takeaways
- coraza-rule-validator is a Go-based CLI that validates ModSecurity-style rules against the real OWASP Coraza engine before deployment
- Coraza is an open source, enterprise-grade Web Application Firewall (WAF) that supports ModSecurity SecLang rulesets and is compatible with the OWASP Core Rule Set v4.
- Coraza can handle a wide range of attacks, including SQL Injection and Cross Site Scripting, with minimal false alerts due to its use of the OWASP Core Rule Set.
- Coraza has an extensibility capability through its plugin framework, enabling users to add new operators, actions, directives, and processors to enhance its functionality.
- Runtime WAF failures from malformed rules cause downtime or silent security gaps. Static analysis in PHP or Python misses regex and engine-specific errors
- Atomic Edge uses this validator as a safety gate for AI-generated CVE protection rules in our automated pipeline
- Core features include .conf file validation, inline rule testing, JSON output for automation, and CI-friendly exit codes
- The tool is open source at https://github.com/stardothosting/coraza-rule-validator under Apache 2.0 license
What Problem Does Coraza Rule Validator Solve?
Scenario: a production web application firewall refuses to start. The culprit is a single malformed SecRule that slipped through code review. Traffic hits origin servers without being protected, leaving sensitive resources exposed to a range of attacks such as SQL injection, cross-site scripting, and other malicious activities.
Traditional ModSecurity rule validation happens at runtime. Syntax errors, broken regexes, and unknown directives only surface when the WAF process reloads. For web applications running Coraza WAF on high-traffic WordPress or CMS sites, downtime or silent policy gaps create critical risks, as these vulnerabilities can be exploited by attackers and may result in a breach if not detected and mitigated promptly. To mitigate such risks and prevent misconfigurations, it is important to disable unused features or configurations—such as disabling external entities in XML parsing or removing unnecessary code—which helps reduce the attack surface and strengthens overall security.
The goal is simple: guarantee that any ruleset passing validation will load successfully in Coraza before it touches a production endpoint.
Why Static Analysis Isn’t Enough for ModSecurity Rule Validation
Static checks in PHP or Python parse ModSecurity syntax and catch obvious mistakes, but they don’t execute rules in the actual Coraza engine or ensure the use of reliable and secure software for rule validation.
Concrete gaps static tools miss:
- PCRE regexes valid in Apache module deployments fail in Go’s RE2 engine used by Coraza
- Backslash escaping breaks after rules pass through YAML, Kubernetes manifests, or environment variables
- Coraza-specific operators or unknown variables produce confusing errors
- Chained rule dependencies that reference non-existent rule IDs
- Improper validation of input can allow injection attacks, such as SQL injection or cross-site scripting (XSS), to slip through undetected if rules are not accurately tested in the real engine
coraza-rule-validator runs Coraza v3.7.0, the same engine powering Atomic Edge production endpoints. By leveraging secure software for rule validation, validation matches real behavior, not a theoretical parser, giving developers confidence that their rules will accurately validate input and prevent vulnerabilities during secure deployment.
Atomic Edge’s Challenge: Validating AI Generated CVE Rules
At Atomic Edge, our endpoint WAF provides continuous CVE protection for WordPress and modern CMSs. When a vulnerability is published, our pipeline analyzes attack vectors, generates SecLang directives, validates them, and deploys to edge nodes. Accurate rule validation is essential for maintaining application security, ensuring that only correct and effective rules are deployed to protect web applications.
AI-generated rules accelerate response time but introduce subtle errors. For instance, we’ve caught:
- Instances of misbalanced quotes in SecRule actions
- Instances where REQUEST_HEADERS:Nonexistent is referenced instead of valid header names
- Instances of PCRE-style backreferences like 1 that RE2 rejects
A single broken Coraza rule prevents an entire ruleset from loading. We needed deterministic pre-deployment validation to protect customer WAF instances from vulnerabilities and our own tooling.
How Coraza Rule Validator Works Under the Hood
coraza-rule-validator is written in Go and links directly against the Coraza WAF library, compiled into a ~17 MB binary. No external dependencies required.
The CLI accepts a .conf file path or inline rules. It instantiates a Coraza engine in memory, loads the provided rules, and reports parse, compile, or engine errors without sending any HTTP request to a server.
Error reporting includes explicit categories:
Category | Description |
|---|---|
regex_compilation | RE2 engine rejected the pattern |
unknown_variable | Variable not implemented in Coraza |
parse_error | SecLang syntax invalid |
chain_error | Chained rule dependency broken |
For more details on error categories and troubleshooting, refer to the documentation.
Output supports plain text for local development or JSON for automation. Exit codes follow standard convention: 0 for success, 1 for validation errors, 2 for usage issues.
Command Line Usage and Options
Validate a single file:
coraza-rule-validator -conf rules/cve-2025-12345.confBulk validation with glob patterns for CI pipelines:
coraza-rule-validator -conf "rules/cve-*.conf" -jsonInline validation for rules generated on the fly:
coraza-rule-validator -rule "SecRule REQUEST_BODY '@rx attack' 'id:1000,phase:2,deny,log'"Check Coraza engine version for compatibility tracking:
coraza-rule-validator -version
# Output: coraza-rule-validator v1.0.0 (Coraza engine v3.7.0)Integrating Coraza Rule Validator into a CVE Protection Pipeline
Atomic Edge pushes rules from a central control plane to many edge endpoints. Our process runs validation before any deployment, including checks to ensure the location of data and resources is trusted, helping to prevent vulnerabilities such as SSRF and integrity failures. Implementing real-time threat detection involves using advanced monitoring tools that analyze traffic patterns and identify anomalies indicative of attacks. Effective real-time threat detection can significantly decrease the average time to detect a breach, which is typically around 200 days without such measures. To further mitigate DDoS attacks, strategies such as rate limiting are used to control the amount of traffic accepted from a single IP address, while deploying a Web Application Firewall (WAF) filters and monitors HTTP traffic to block malicious requests before they reach the server. Implementing IP-based restrictions can also help by blocking traffic from known malicious IP addresses or ranges, reducing the attack surface. It is also crucial to ensure that an authorization token is present in each request to confirm user identity and maintain secure access control. Additionally, supplementary security measures such as logging and monitoring should be incorporated as part of the overall security process.
High-level sequence:
- AI worker generates .conf file from CVE data
- Pipeline invokes coraza-rule-validator with JSON output
- On success (exit 0), rules deploy to staging then production
- On failure (exit 1), errors surface to security engineers
PHP integration example using Symfony Process:
$process = Process::run([
'/usr/local/bin/coraza-rule-validator',
'-conf', $rulePath,
'-json'
]);
if (!$process->successful()) {
$errors = json_decode($process->output(), true)['errors'];
foreach ($errors as $error) {
Log::error("Rule validation failed", [
'type' => $error['type'],
'message' => $error['message']
]);
}
return false;
}
Exit codes integrate naturally with GitHub Actions, GitLab CI, or Jenkins. Security engineers maintaining hand-written rules or OWASP Core Rule Set overrides can run the validator as a pre-commit hook.
Why Not Just Use Caddy With Coraza?
Caddy with coraza-caddy provides a full web server with integrated WAF functionality. For rule validation, it’s overkill.
Aspect | Caddy + coraza-caddy | coraza-rule-validator |
|---|---|---|
Binary size | ~65 MB | ~17 MB |
Requires config | Yes | No |
Listens on ports | Yes | No |
CI/CD friendly | Requires setup | Drop-in binary |
Pipelines need a small, dependency-free tool that runs in containers, build agents, or developer laptops without root access or service management. Atomic Edge uses full Coraza integrations for serving traffic, but relies on the validator to catch issues before rules reach those servers.
Use Cases Beyond Atomic Edge
coraza-rule-validator is open source on GitHub for the broader Coraza and ModSecurity community, contributing to web application security by helping organizations address critical risks identified in the OWASP Top 10. The OWASP Top 10 is an awareness document, regularly updated by global security experts, outlining the ten most critical security risks to web applications, such as Broken Access Control, Cryptographic Failures, and Injection. OWASP recommends that organizations incorporate the OWASP Top 10 awareness document into their security processes to effectively minimize and mitigate security risks. All OWASP documentation, tools, and educational resources are freely accessible on their website, supporting web application security awareness and best practices.
Attackers often exploit user credentials or manipulate user-related access controls to compromise systems. For example, scripts can be used to automate login attempts in credential stuffing attacks, rapidly trying multiple username and password combinations to gain unauthorized access.
Coraza and its validator are trusted by organizations around the world, ensuring robust protection for diverse industries and use cases.
Who benefits:
- Organizations adopting Coraza WAF through Caddy, Envoy, or custom Go integrations
- WAF-as-a-Service providers and managed security service providers maintaining tenant-specific rules
- Teams migrating from ModSecurity on Apache or Nginx who need automated compatibility testing
- Security teams building internal rule management portals with real-time validation feedback
Beyond its technical meaning, “coraza” has evolved in contemporary Spanish to refer to various forms of protection—physical, emotional, or moral. In automotive contexts, “coraza” can mean heat shields or radiator covers. In modern therapy, it is often used as a metaphor for emotional defense mechanisms, such as coldness or cynicism, and most commonly as emotional armor defending against vulnerability and pain. “Coraza” can also describe a moral shield, like the “shield of justice,” and metaphorically represents an abstract shield that protects someone from suffering or emotional harm.
Project Details, Licensing, and Contributions
The validator lives at https://github.com/stardothosting/coraza-rule-validator. Written in Go, uses Coraza v3.7.0, and licensed under Apache 2.0 to align with the upstream project from the OWASP Foundation.
Open issues for validation bugs, feature requests, or compatibility problems. Contributors can add richer error messages, additional output formats, or CI platform integrations while keeping the binary lean. The Coraza and OWASP community is welcome to review and propose enhancements. Please refer to the contributing guidelines and documentation for more information on how to get involved and follow best practices.
