The 1st Line of Defense

The OWASP® CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories.

Get latest: 4.4.0 Get previous major: 3.3.5
Rules protecting a safe

Getting Started

New Features in CRS 4

CRS 4 includes many coverage improvements, plus the following new features:

  • Plug-in architecture allowing official and 3rd party plugins to integrate into CRS
  • Early-Blocking option
  • Over 500 individual rule bypasses closed following a big Bug Bounty project
  • 🆕 Web shell detection
  • Full RE2/Hyperscan compatibility for better performance
  • Support for HTTP/3
  • More granular reporting options


Supported Attack Categories

  • SQL Injection (SQLi)
  • Cross Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • PHP Code Injection
  • Java Code Injection
  • HTTPoxy
  • Shellshock
  • Unix/Windows Shell Injection
  • Session Fixation
  • Scanner/Bot Detection
  • Metadata/Error Leakages

Getting Started


👋 Be part of a vibrant and welcoming community.

🗺️ Join us on Slack for discussions, see GitHub for our projects, or follow us on Twitter.

💯 Our dev-on-duty program financed by sponsors guarantees 1st level support via multiple channels.

💫 Annual develop retreats bring the developers together for a full week where we hack away at the rule set.

🤙 We are always looking for new contributors and developers.


Latest Blog Posts

Call for Sponsors

We are looking for more Gold and Silver sponsors, not the least because we have big plans and we need support to make it happen. If you think that would be a win-win opportunity for your company or organization, then please get in touch with our sponsoring contact CRS co-lead Christian Folini via firstname dot lastname at owasp dot org.

Gold Sponsors

Silver Sponsors