The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0.
For downloads and installation instructions, please see the Installation page.
This release packages many changes, such as:
Important upgrade notes:
allowed_request_content_type
has been changed to be more in line with other variables. If you had manually changed this setting, then you need to update it. Please see the example rule 900220 in the file crs-setup.conf.example. If you didn’tchange this setting, you don’t need to do anything.Please see the CHANGES document with around 160 entries for the complete list of new features and improvements: https://github.com/coreruleset/coreruleset/blob/v3.3.0/CHANGES
Finally, we have done a lot of infrastructure work during this release, such as the move from TrustWave to our own GitHub organization and the conversion of our CI to GitHub Actions. We are very grateful to our developers who have invested much time in this process, with a special nod to developer Felipe Zipitria who created a GitHub bot to preserve all the project’s issue history.
Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP TOP 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. Please use the CRS GitHub (https://github.com/coreruleset/coreruleset), our slack channel (#coreruleset on owasp.slack.com), or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release candidate.