diff --git a/.github/workflows/waf-integration.yml b/.github/workflows/waf-integration.yml
new file mode 100644
index 00000000..625a99e8
--- /dev/null
+++ b/.github/workflows/waf-integration.yml
@@ -0,0 +1,74 @@
+name: WAF Integration Tests
+
+on:
+  push:
+    branches: [ main, development, 'feature/**' ]
+    paths:
+      - 'backend/internal/caddy/**'
+      - 'backend/internal/models/security*.go'
+      - 'scripts/coraza_integration.sh'
+      - 'Dockerfile'
+      - '.github/workflows/waf-integration.yml'
+  pull_request:
+    branches: [ main, development ]
+    paths:
+      - 'backend/internal/caddy/**'
+      - 'backend/internal/models/security*.go'
+      - 'scripts/coraza_integration.sh'
+      - 'Dockerfile'
+      - '.github/workflows/waf-integration.yml'
+  # Allow manual trigger
+  workflow_dispatch:
+
+jobs:
+  waf-integration:
+    name: Coraza WAF Integration
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build Docker image
+        run: |
+          docker build \
+            --build-arg VCS_REF=${{ github.sha }} \
+            -t charon:local .
+
+      - name: Run WAF integration tests
+        id: waf-test
+        run: |
+          chmod +x scripts/coraza_integration.sh
+          scripts/coraza_integration.sh 2>&1 | tee waf-test-output.txt
+          exit ${PIPESTATUS[0]}
+
+      - name: WAF Integration Summary
+        if: always()
+        run: |
+          echo "## 🛡️ WAF Integration Test Results" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.waf-test.outcome }}" == "success" ]; then
+            echo "✅ **All WAF tests passed**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Test Results:" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            grep -E "^✓|^===|^Coraza" waf-test-output.txt || echo "See logs for details"
+            grep -E "^✓|^===|^Coraza" waf-test-output.txt >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ **WAF tests failed**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Failure Details:" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            grep -E "^✗|Unexpected|Error|failed" waf-test-output.txt | head -20 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Cleanup
+        if: always()
+        run: |
+          docker rm -f charon-debug || true
+          docker rm -f coraza-backend || true
+          docker network rm containers_default || true
diff --git a/backend/internal/caddy/manager.go b/backend/internal/caddy/manager.go
index 3e10fbeb..96f293ec 100644
--- a/backend/internal/caddy/manager.go
+++ b/backend/internal/caddy/manager.go
@@ -121,11 +121,21 @@ func (m *Manager) ApplyConfig(ctx context.Context) error {
 			filePath := filepath.Join(corazaDir, safeName+".conf")
 			// Prepend required Coraza directives if not already present.
 			// These are essential for the WAF to actually enforce rules:
-			// - SecRuleEngine On: enables blocking mode (default is DetectionOnly)
+			// - SecRuleEngine On: enables blocking mode (blocks malicious requests)
+			// - SecRuleEngine DetectionOnly: monitor mode (logs but doesn't block)
 			// - SecRequestBodyAccess On: allows inspecting POST body content
 			content := rs.Content
 			if !strings.Contains(strings.ToLower(content), "secruleengine") {
-				content = "SecRuleEngine On\nSecRequestBodyAccess On\n\n" + content
+				// Determine WAF engine mode: per-ruleset mode takes precedence,
+				// then global WAFMode, defaulting to blocking if neither is set
+				engineMode := "On" // default to blocking
+				if rs.Mode == "detection" || rs.Mode == "monitor" {
+					engineMode = "DetectionOnly"
+				} else if rs.Mode == "" && secCfg.WAFMode == "monitor" {
+					// No per-ruleset mode set, use global WAFMode
+					engineMode = "DetectionOnly"
+				}
+				content = fmt.Sprintf("SecRuleEngine %s\nSecRequestBodyAccess On\n\n", engineMode) + content
 			}
 			// Write ruleset file with world-readable permissions so the Caddy
 			// process (which may run as an unprivileged user) can read it.
@@ -137,6 +147,34 @@ func (m *Manager) ApplyConfig(ctx context.Context) error {
 				logger.Log().WithField("ruleset", rs.Name).WithField("path", filePath).Info("wrote coraza ruleset file")
 			}
 		}
+
+		// Cleanup stale ruleset files that are no longer in the database
+		if entries, err := readDirFunc(corazaDir); err == nil {
+			for _, entry := range entries {
+				if entry.IsDir() {
+					continue
+				}
+				fileName := entry.Name()
+				filePath := filepath.Join(corazaDir, fileName)
+				// Check if this file is in the current rulesetPaths
+				isActive := false
+				for _, activePath := range rulesetPaths {
+					if activePath == filePath {
+						isActive = true
+						break
+					}
+				}
+				if !isActive {
+					if err := removeFileFunc(filePath); err != nil {
+						logger.Log().WithError(err).WithField("path", filePath).Warn("failed to remove stale ruleset file")
+					} else {
+						logger.Log().WithField("path", filePath).Info("removed stale ruleset file")
+					}
+				}
+			}
+		} else {
+			logger.Log().WithError(err).Warn("failed to read coraza rulesets dir for cleanup")
+		}
 	}
 
 	config, err := generateConfigFunc(hosts, filepath.Join(m.configDir, "data"), acmeEmail, m.frontendDir, sslProvider, m.acmeStaging, crowdsecEnabled, wafEnabled, rateLimitEnabled, aclEnabled, adminWhitelist, rulesets, rulesetPaths, decisions, &secCfg)
diff --git a/backend/internal/caddy/manager_additional_test.go b/backend/internal/caddy/manager_additional_test.go
index 3e2b46ce..2a179214 100644
--- a/backend/internal/caddy/manager_additional_test.go
+++ b/backend/internal/caddy/manager_additional_test.go
@@ -1148,3 +1148,316 @@ func TestManager_ApplyConfig_DebugMarshalFailure(t *testing.T) {
 	// ApplyConfig should still succeed even if debug logging fails
 	assert.NoError(t, manager.ApplyConfig(context.Background()))
 }
+
+func TestManager_ApplyConfig_WAFModeMonitorUsesDetectionOnly(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"wafmonitor")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	// Create host and ruleset
+	h := models.ProxyHost{DomainNames: "monitor.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	// Ruleset content without SecRuleEngine
+	ruleContent := `SecRule REQUEST_BODY "<script>" "id:12345,phase:2,deny,status:403,msg:'XSS blocked'"`
+	rs := models.SecurityRuleSet{Name: "monitor-test", Content: ruleContent}
+	assert.NoError(t, db.Create(&rs).Error)
+	// WAFMode = "monitor" should result in DetectionOnly
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "monitor", WAFRulesSource: "monitor-test"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+
+	// Capture written file content
+	var writtenContent []byte
+	origWrite := writeFileFunc
+	writeFileFunc = func(path string, b []byte, perm os.FileMode) error {
+		if strings.Contains(path, "monitor-test") {
+			writtenContent = b
+		}
+		return origWrite(path, b, perm)
+	}
+	defer func() { writeFileFunc = origWrite }()
+
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "monitor"})
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+
+	// Verify SecRuleEngine DetectionOnly was prepended (not On)
+	content := string(writtenContent)
+	assert.True(t, strings.Contains(content, "SecRuleEngine DetectionOnly"), "SecRuleEngine DetectionOnly should be prepended in monitor mode")
+	assert.False(t, strings.Contains(content, "SecRuleEngine On"), "SecRuleEngine On should NOT be present in monitor mode")
+	assert.True(t, strings.Contains(content, "SecRequestBodyAccess On"), "SecRequestBodyAccess On should be prepended")
+}
+
+func TestManager_ApplyConfig_PerRulesetModeOverride(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"rulesetmode")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	// Create host and ruleset with per-ruleset mode set to "detection"
+	h := models.ProxyHost{DomainNames: "rulesetmode.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	ruleContent := `SecRule REQUEST_BODY "<script>" "id:12345,phase:2,deny,status:403,msg:'XSS blocked'"`
+	// Ruleset has Mode="detection" which should override global "block" mode
+	rs := models.SecurityRuleSet{Name: "override-test", Content: ruleContent, Mode: "detection"}
+	assert.NoError(t, db.Create(&rs).Error)
+	// Global WAFMode is "block" but ruleset Mode should take precedence
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "block", WAFRulesSource: "override-test"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+
+	// Capture written file content
+	var writtenContent []byte
+	origWrite := writeFileFunc
+	writeFileFunc = func(path string, b []byte, perm os.FileMode) error {
+		if strings.Contains(path, "override-test") {
+			writtenContent = b
+		}
+		return origWrite(path, b, perm)
+	}
+	defer func() { writeFileFunc = origWrite }()
+
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "block"})
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+
+	// Verify per-ruleset mode takes precedence: should be DetectionOnly even though global is "block"
+	content := string(writtenContent)
+	assert.True(t, strings.Contains(content, "SecRuleEngine DetectionOnly"), "Per-ruleset mode 'detection' should result in DetectionOnly")
+	assert.False(t, strings.Contains(content, "SecRuleEngine On"), "Per-ruleset mode should override global 'block' mode")
+}
+
+func TestManager_ApplyConfig_RulesetFileCleanup(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"rulesetcleanup")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	// Create initial ruleset
+	h := models.ProxyHost{DomainNames: "cleanup.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	rs := models.SecurityRuleSet{Name: "active-ruleset", Content: "SecRule REQUEST_BODY \"test\" \"id:1,phase:2,deny\""}
+	assert.NoError(t, db.Create(&rs).Error)
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "block", WAFRulesSource: "active-ruleset"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	// Create a stale file in the coraza rulesets dir
+	corazaDir := filepath.Join(tmp, "coraza", "rulesets")
+	os.MkdirAll(corazaDir, 0755)
+	staleFile := filepath.Join(corazaDir, "stale-ruleset.conf")
+	os.WriteFile(staleFile, []byte("old content"), 0644)
+
+	// Create a subdirectory that should be skipped during cleanup (not deleted)
+	subDir := filepath.Join(corazaDir, "subdir")
+	os.MkdirAll(subDir, 0755)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "block"})
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+
+	// Verify stale file was removed
+	_, err = os.Stat(staleFile)
+	assert.True(t, os.IsNotExist(err), "Stale ruleset file should be deleted")
+
+	// Verify subdirectory was NOT deleted (directories should be skipped)
+	info, err := os.Stat(subDir)
+	assert.NoError(t, err, "Subdirectory should not be deleted")
+	assert.True(t, info.IsDir(), "Subdirectory should still be a directory")
+
+	// Verify active ruleset file exists
+	activeFile := filepath.Join(corazaDir, "active-ruleset.conf")
+	_, err = os.Stat(activeFile)
+	assert.NoError(t, err, "Active ruleset file should exist")
+}
+
+func TestManager_ApplyConfig_RulesetCleanupReadDirError(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"cleanupreaddirfail")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	h := models.ProxyHost{DomainNames: "readdirerr.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	rs := models.SecurityRuleSet{Name: "test-ruleset", Content: "SecRule REQUEST_BODY \"x\" \"id:1,phase:2,deny\""}
+	assert.NoError(t, db.Create(&rs).Error)
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "block", WAFRulesSource: "test-ruleset"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+
+	// Stub readDirFunc to return error
+	origReadDir := readDirFunc
+	readDirFunc = func(name string) ([]os.DirEntry, error) {
+		if strings.Contains(name, "coraza") {
+			return nil, fmt.Errorf("simulated readdir error")
+		}
+		return origReadDir(name)
+	}
+	defer func() { readDirFunc = origReadDir }()
+
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "block"})
+	// ApplyConfig should still succeed even if cleanup read fails
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+}
+
+func TestManager_ApplyConfig_RulesetCleanupRemoveError(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"cleanupremovefail")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	h := models.ProxyHost{DomainNames: "removeerr.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	rs := models.SecurityRuleSet{Name: "keep-this", Content: "SecRule REQUEST_BODY \"x\" \"id:1,phase:2,deny\""}
+	assert.NoError(t, db.Create(&rs).Error)
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "block", WAFRulesSource: "keep-this"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	// Create stale file
+	corazaDir := filepath.Join(tmp, "coraza", "rulesets")
+	os.MkdirAll(corazaDir, 0755)
+	staleFile := filepath.Join(corazaDir, "stale.conf")
+	os.WriteFile(staleFile, []byte("old"), 0644)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+
+	// Stub removeFileFunc to return error for stale files
+	origRemove := removeFileFunc
+	removeFileFunc = func(name string) error {
+		if strings.Contains(name, "stale") {
+			return fmt.Errorf("simulated remove error")
+		}
+		return origRemove(name)
+	}
+	defer func() { removeFileFunc = origRemove }()
+
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "block"})
+	// ApplyConfig should still succeed even if cleanup remove fails
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+}
+
+func TestManager_ApplyConfig_WAFModeBlockExplicit(t *testing.T) {
+	tmp := t.TempDir()
+	dsn := fmt.Sprintf("file:%s?mode=memory&cache=shared", t.Name()+"wafblock")
+	db, err := gorm.Open(sqlite.Open(dsn), &gorm.Config{})
+	assert.NoError(t, err)
+	assert.NoError(t, db.AutoMigrate(&models.ProxyHost{}, &models.Location{}, &models.Setting{}, &models.CaddyConfig{}, &models.SSLCertificate{}, &models.SecurityConfig{}, &models.SecurityRuleSet{}))
+
+	h := models.ProxyHost{DomainNames: "block.example.com", ForwardHost: "127.0.0.1", ForwardPort: 8080, Enabled: true}
+	db.Create(&h)
+	ruleContent := `SecRule REQUEST_BODY "<script>" "id:12345,phase:2,deny,status:403,msg:'XSS blocked'"`
+	rs := models.SecurityRuleSet{Name: "block-test", Content: ruleContent}
+	assert.NoError(t, db.Create(&rs).Error)
+	sec := models.SecurityConfig{Name: "default", Enabled: true, AdminWhitelist: "10.0.0.1/32", WAFMode: "block", WAFRulesSource: "block-test"}
+	assert.NoError(t, db.Create(&sec).Error)
+
+	caddyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/load" && r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		if r.URL.Path == "/config/" && r.Method == http.MethodGet {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"apps":{"http":{}}}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer caddyServer.Close()
+
+	client := NewClient(caddyServer.URL)
+
+	var writtenContent []byte
+	origWrite := writeFileFunc
+	writeFileFunc = func(path string, b []byte, perm os.FileMode) error {
+		if strings.Contains(path, "block-test") {
+			writtenContent = b
+		}
+		return origWrite(path, b, perm)
+	}
+	defer func() { writeFileFunc = origWrite }()
+
+	manager := NewManager(client, db, tmp, "", false, config.SecurityConfig{CerberusEnabled: true, WAFMode: "block"})
+	assert.NoError(t, manager.ApplyConfig(context.Background()))
+
+	// Verify SecRuleEngine On was prepended in block mode
+	content := string(writtenContent)
+	assert.True(t, strings.Contains(content, "SecRuleEngine On"), "SecRuleEngine On should be prepended in block mode")
+	assert.False(t, strings.Contains(content, "DetectionOnly"), "DetectionOnly should NOT be present in block mode")
+}
diff --git a/scripts/coraza_integration.sh b/scripts/coraza_integration.sh
index 0389e318..d2a15f98 100644
--- a/scripts/coraza_integration.sh
+++ b/scripts/coraza_integration.sh
@@ -114,13 +114,39 @@ docker logs charon-debug | tail -n 200 || true
 
 RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -d "<script>alert(1)</script>" -H "Host: integration.local" http://localhost/post)
 if [ "$RESPONSE" = "403" ]; then
-  echo "Coraza WAF blocked payload as expected (HTTP 403)"
+  echo "✓ Coraza WAF blocked payload as expected (HTTP 403) in BLOCK mode"
 else
-  echo "Unexpected response code: $RESPONSE (expected 403)"
+  echo "✗ Unexpected response code: $RESPONSE (expected 403) in BLOCK mode"
   exit 1
 fi
 
-echo "Coraza integration test complete. Cleaning up..."
+echo ""
+echo "=== Testing MONITOR mode (DetectionOnly) ==="
+echo "Switching WAF to monitor mode..."
+SEC_CFG_MONITOR='{"name":"default","enabled":true,"waf_mode":"monitor","waf_rules_source":"integration-xss","admin_whitelist":"0.0.0.0/0"}'
+curl -s -X POST -H "Content-Type: application/json" -d "${SEC_CFG_MONITOR}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/security/config
+
+echo "Wait for Caddy to apply monitor mode config..."
+sleep 2
+
+echo "Inspecting ruleset file (should now have DetectionOnly)..."
+docker exec charon-debug cat /app/data/caddy/coraza/rulesets/integration-xss.conf | head -5 || true
+
+RESPONSE_MONITOR=$(curl -s -o /dev/null -w "%{http_code}" -d "<script>alert(1)</script>" -H "Host: integration.local" http://localhost/post)
+if [ "$RESPONSE_MONITOR" = "200" ]; then
+  echo "✓ Coraza WAF in MONITOR mode allowed payload through (HTTP 200) as expected"
+else
+  echo "✗ Unexpected response code: $RESPONSE_MONITOR (expected 200) in MONITOR mode"
+  echo "  Note: Monitor mode should log but not block"
+  exit 1
+fi
+
+echo ""
+echo "=== All Coraza integration tests passed ==="
+
+echo ""
+echo "=== All Coraza integration tests passed ==="
+echo "Cleaning up..."
 docker rm -f coraza-backend || true
 if [ "$CREATED_NETWORK" -eq 1 ]; then
   docker network rm containers_default || true