Announcement: OWASP ModSecurity Core Rule Set Version 3.1.0

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0 at last.

A wee bit over 2 years in the making, this major release represents a big step forward in terms of capabilities, usability and protection.

Key features include:

For a complete list of new features and the changes in this release, see the CHANGES document:

CRS 3.1 is the best stable release of the OWASP ModSecurity Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups. CRS 3.0 won’t see any future updates and we recommend you to migrate onto our new release.

CRS 3.1 requires an Apache/IIS/NGINX web server with ModSecurity 2.8.0 or higher. CRS 3.1 will run on libModSecurity 3.0 on NGINX.

Our GitHub repository is the preferred way to download and update CRS:

$> wget

For detailed installation instructions, see the INSTALL document:

Our desire is to see the Core Rules project as a simple baseline security feature, effectively fighting OWASP TOP 10 weaknesses with few side effects. We are committed to cut down on false positives as much as possible in the default install. We welcome reports of false positives on github.


Chaim Sanders, Walter Hop and Christian Folini on behalf of the Core Rule Set development team

Christian Folini / [@ChrFolini]