OWASP ModSecurity Core Rule Set v3.3.0 available

The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0.

For downloads and installation instructions, please see the Installation page.

This release packages many changes, such as:

Important upgrade notes:

Please see the CHANGES document with around 160 entries for the complete list of new features and improvements: https://github.com/coreruleset/coreruleset/blob/v3.3.0/CHANGES

Finally, we have done a lot of infrastructure work during this release, such as the move from TrustWave to our own GitHub organization and the conversion of our CI to GitHub Actions. We are very grateful to our developers who have invested much time in this process, with a special nod to developer Felipe Zipitria who created a GitHub bot to preserve all the project’s issue history.

Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP TOP 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. Please use the CRS GitHub (https://github.com/coreruleset/coreruleset), our slack channel (#coreruleset on owasp.slack.com), or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release!

Walter Hop, release manager, on behalf of the Core Rule Set development team

Walter Hop