akanealw
eec8c28fb3
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
3.2 KiB
Executable File
3.2 KiB
Executable File
title, description
| title | description |
|---|---|
| Web Application Firewall (WAF) | Protect against OWASP Top 10 vulnerabilities with Coraza WAF |
Web Application Firewall (WAF)
Stop common attacks like SQL injection, cross-site scripting (XSS), and path traversal before they reach your applications. Powered by Coraza, the WAF protects your apps from the OWASP Top 10 vulnerabilities.
Overview
The Web Application Firewall inspects every HTTP/HTTPS request and blocks malicious payloads before they reach your backend services. Charon uses Coraza, a high-performance, open-source WAF engine compatible with the OWASP Core Rule Set (CRS).
Protected attack types include:
- SQL Injection — Blocks database manipulation attempts
- Cross-Site Scripting (XSS) — Prevents script injection attacks
- Path Traversal — Stops directory traversal exploits
- Remote Code Execution — Blocks command injection
- Zero-Day Exploits — CRS updates provide protection against newly discovered vulnerabilities
Why Use This
- Defense in Depth — Add a security layer in front of your applications
- OWASP CRS — Industry-standard ruleset trusted by enterprises
- Low Latency — Coraza processes rules efficiently with minimal overhead
- Flexible Modes — Choose between monitoring and active blocking
Configuration
Enabling WAF
- Navigate to Proxy Hosts
- Edit or create a proxy host
- In the Security tab, toggle Web Application Firewall
- Select your preferred mode
Operating Modes
| Mode | Behavior | Use Case |
|---|---|---|
| Monitor | Logs threats but allows traffic | Testing rules, reducing false positives |
| Block | Actively blocks malicious requests | Production protection |
Recommendation: Start in Monitor mode to review detected threats, then switch to Block mode once you're confident in the rules.
Per-Host Configuration
WAF can be enabled independently for each proxy host:
- Enable for public-facing applications
- Disable for internal services or APIs with custom security
- Mix modes across different hosts as needed
Zero-Day Protection
The OWASP Core Rule Set is regularly updated to address:
- Newly discovered CVEs
- Emerging attack patterns
- Bypass techniques
Charon includes the latest CRS version and receives updates through container image releases.
Limitations
The WAF protects HTTP and HTTPS traffic only:
| Traffic Type | Protected |
|---|---|
| HTTP/HTTPS Proxy Hosts | ✅ Yes |
| TCP/UDP Streams | ❌ No |
| Non-HTTP protocols | ❌ No |
For TCP/UDP protection, use CrowdSec or network-level firewalls.
Troubleshooting
| Issue | Solution |
|---|---|
| Legitimate requests blocked | Switch to Monitor mode and review logs |
| High latency | Check if complex rules are triggering; consider rule tuning |
| WAF not activating | Verify the proxy host has WAF enabled in Security tab |
Related
- CrowdSec Integration — Behavioral threat detection
- Access Control — IP and geo-based restrictions
- Proxy Hosts — Configure WAF per host
- Back to Features