OWASP ModSecurity Core Rule Set

The 1st Line of Defense Against Web Application Attacks

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Local File Inclusion, etc.

CRS Logo

The official website of the project can be found at https://coreruleset.org.

Getting Started / Tutorials

The following tutorials will get you started with ModSecurity and the CRS v3.

These tutorials are part of a big series of Apache/ModSecurity guides published by netnea. They are written by Christian Folini, Co-Lead of the CRS project.

More Information about the rule set is available at the official website.

Please note, there is also a ModSecurity Handbook, 2nd edition written by CRS project lead Christian Folini, that can be useful to understand the behavior of the engine and the rule set. The book does not cover the rule set itself, though.


OWASP ModSecurity CRS is free to use. It is licensed under the Apache Software License version 2 (ASLv2), so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Reporting Issues

  • If you think you’ve found a false positive in commercially available software and want us to take a look, submit an issue here on our Github
  • Have you found a false negative/bypass? See our policy first on how to contact us.


You can find the project logos in the OWASP Swag repository.


Project Gold Sponsors

Project Silver Sponsors