The OWASP Core Rule Set provides guidelines for many of the aspects surrounding the project. Please explore some of these below. If you are looking to submit a security issue with the Core Rule Set please email security [ at ]

Core Rule Set Documentation

We maintain a large body of documentation about effective methods to deploy the Core Rule Set (this is a set of documents generated from this code here). Unfortunately, it settled some dust and it’s probably better to turn to the following alternative until we update it.

There is an extended set of tutorials at, that introduces the CRS integration and the handling of false positives with great detail. It is worth checking out:

There is also a ModSecurity Handbook, 2nd edition written by CRS project co-lead Christian Folini, that can be useful to understand the behavior of the engine and the rule set. Note however, that the book does not cover the rule set itself.

Contribution Guidelines

If you are looking for information about how to join our vibrant community of Core Rule Set developers we invite you to check out our Github repository. When you’re ready to contribute we’ve outlined some of the guidelines that we use to keep  our project managed.


OWASP Core Rule Set is an open source set of security rules licensed under Apache 2.0. Although it was originally developed for ModSecurity’s SecRules language it can be, and often has been, freely modified, reproduced, and adapted for various commercial and non-commercial endeavors. We encourage individuals and organizations to commit back to the OWASP Core Rule Set where possible.


The Core Rule Set project endeavors not to make breaking changes in minor releases (i.e. 3.1.1), instead these releases will fix bugs otherwise identified in the previous release. New functionality and breaking changes will be made in major releases (i.e. 3.3). If you are interested in seeing what has changed in recent versions of the software please see our CHANGES file.