Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0

The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of the OWASP ModSecurity Core Rule Set Version 3.2.0.

The new release is available for download at

This release represents a very big step forward in terms of both capabilities and protections including:

  • Improved compatibility with ModSecurity 3.x
  • Improved CRS docker container that is fully configurable at creation
  • Expanded Java RCE blacklist
  • Expanded unix shell RCE blacklist
  • Improved PHP RCE detection
  • New javascript/Node.js RCE detection
  • Expanded LFI blacklists
  • Added XenForo rule exclusion profile
  • Fixes for many false positives and bypasses
  • Detection of more security scanners
  • Regexp performance improvements preventing ReDoS in most cases

Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements:

Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP TOP 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install.

Please use the CRS GitHub (, our slack channel (#coreruleset on, or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release candidate.

Walter Hop, release manager, on behalf of the Core Rule Set development team

2 thoughts on “Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0”

Leave a Comment

Your email address will not be published. Required fields are marked *