CRS Project

CRS Project
Skip to content
OWASP CRS
Project
The 1st Line of Defense
The
OWASP® CRS
is a set of generic attack detection rules for use with
ModSecurity
or compatible web application firewalls.
The CRS aims to protect web applications from a wide range of attacks,
including the OWASP Top Ten, with a minimum of false alerts.
The CRS provides protection against many common attack categories.
Get latest: 4.25.0
Get previous major: 3.3.9
Now Available
CRS 4.25.0 LTS — First Long-Term Support Release
CRS 4.25.0
is the first
Long-Term Support
release for the CRS 4 line.
This release focuses on stability: completing the migration to
regex-assembly
small improvements, and false positive fixes.
Organizations running CRS 3.3 should plan their migration now — CRS 3.3.x support ends Q3 2026.
Get CRS 4.25.0 LTS
Getting Started
What's New in CRS 4
CRS 4 includes many coverage improvements, plus the following features:
Plug-in architecture allowing official and 3rd party plugins to integrate into CRS
Early-Blocking option
Over 500 individual rule bypasses closed following a big Bug Bounty project
Smarty template injection (SSTI) detection
Improved multi-byte UTF-8 handling for CJK, Arabic, and Hebrew scripts
Web shell detection
Full RE2/Hyperscan compatibility for better performance
Support for HTTP/3
More granular reporting options
Supported Attack Categories
SQL Injection (SQLi)
Cross Site Scripting (XSS)
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
PHP Code Injection
Java Code Injection
Server-Side Template Injection (SSTI)
HTTPoxy
Shellshock
Unix/Windows Shell Injection
Session Fixation
Scanner/Bot Detection
Metadata/Error Leakages
Getting Started
Community
👋 Be part of a vibrant and welcoming community.
🗺️ Join us on Slack for discussions, see GitHub for our projects, or follow
us on Twitter.
💯 Our dev-on-duty program financed by sponsors guarantees 1st level support via multiple channels.
💫 Annual develop retreats bring the developers together for a full week where we hack away at the rule set.
🤙 We are always looking for new contributors and developers.
Community
Latest Blog Posts
Migrating from CRS 3.3 to CRS 4.25 LTS — Part 3: The Plugin Architecture
Migrating from CRS 3.3 to CRS 4.25 LTS — Part 2: Configuration
Migrating from CRS 3.3 to CRS 4.25 LTS — Part 1: Overview
Related Projects And Tools
CRS doesn't exist in a vacuum. Most importantly, we work closely with WAF engines that run CRS:
ModSecurity
Coraza
There are also a couple of tools that exist in the CRS universe. Some we use for development, others are useful for CRS users or penetration testers.
We maintain a list of these tools
in the documentation
Call for Sponsors
We are looking for more Gold and Silver sponsors, not the least because we have big plans
and we need support to make it happen. If you think that would be a win-win opportunity for
your company or organization, then please get in touch and send an e-mail to:
sponsoring at coreruleset dot org.
Gold Sponsors
Silver Sponsors