How to install nginx-owasp-crs (noarch)
OWASP ModSecurity Core Rule Set for Nginx
Install
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm sudo yum -y install nginx-owasp-crs
Description
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
RPMs
| Package | Size | Changelog |
|---|---|---|
| nginx-owasp-crs-4.27.0-1.amzn2023.noarch | 240 KiB |
Danila Vershinin (2026-06-02) - Removed dependency on content-type header for improved reliability. |
| nginx-owasp-crs-4.26.0-1.amzn2023.noarch | 240 KiB |
Danila Vershinin (2026-05-04) - Added WhatWAF and ghauri to scanner list. · - Expanded Scanner User Agents List and OS files list. · - Enhanced detection for Server-Side Template Injection attacks. · - Fixed false positives related to parameter names and payloads. · - Updated restricted files to include Perl subdirectories. · - Dropped HTTP/0.9 GET support from request line validation. · - Required path prefix for certain local file inclusion checks. |
| nginx-owasp-crs-4.25.0-1.amzn2023.noarch | 237 KiB |
Danila Vershinin (2026-03-29) - Fix CVE-2026-33691: prevent whitespace padding bypass in file uploads. · - Add AWS security agent to user agents data. · - Introduce shell fork bomb detection rule. · - Refactor multiple rule files for improved organization. · - Harden GitHub Actions workflows for better security. · - Update list of Unix commands for accuracy. · - Allow rule exclusions for specific targets. |
| nginx-owasp-crs-4.24.1-1.amzn2023.noarch | 236 KiB |
Danila Vershinin (2026-03-10) - Added AI coding assistant artifact protection. · - Expanded Scanner Agents for improved detection. · - Fixed user agent string matching issues. · - Prevented double inspection of cookies. · - Added OWASP Nettacker to known scanners list. · - Refactored multiple .ra files for better organization. · - Improved documentation on threshold alerts. |
| nginx-owasp-crs-4.24.0-1.amzn2023.noarch | 233 KiB |
Danila Vershinin (2026-03-01) - Added detection for Smarty template PHP tags. · - Improved regex performance with lazy evaluation. · - Reduced false positives in various detections. · - Enhanced handling of multi-byte UTF-8 characters. · - Updated rules to regex-assembly for better efficiency. · - Fixed issues with JSON variable names in libmodsecurity. · - Added exclusions for Google Funding Choices cookie. |
| nginx-owasp-crs-4.23.0-1.amzn2023.noarch | 232 KiB |
Danila Vershinin (2026-02-05) - Added rule to enforce content-type for requests with a body. · - Introduced detection for Vite.js path traversal vulnerability. · - Blocked fake 'mozilla/5.g' user-agent. · - Resolved false positives with ad and tracker cookies. · - Improved handling of malformed URLs in SSRF rules. · - Prevented upload of PHP session files. · - Updated rules for restricted files and file extensions. |
| nginx-owasp-crs-4.22.0-1.amzn2023.noarch | 228 KiB |
Danila Vershinin (2026-01-06) - Fixed critical issue 9AJ-260102. · - Added sequence for CVE-2025-55182 POCs. · - Reduced false positives in rules. · - Improved handling of arrays in ARGS_NAMES. · - Updated regex for Rust compatibility. · - Dropped older spelling variants. |
| nginx-owasp-crs-4.21.0-1.amzn2023.noarch | 227 KiB |
Danila Vershinin (2025-12-03) - Added IPv6 support and XML scan for SSH scheme. · - Introduced new restricted file extensions detection. · - Improved unit tests for double comment handling. · - Fixed multiple blocking issues in rules. · - Corrected function names in several rules. · - Reduced false positives for substring detections. · - Added help documentation for non-English users. |
| nginx-owasp-crs-4.20.0-1.amzn2023.noarch | 226 KiB |
Danila Vershinin (2025-11-03) - Updated restricted file extensions for enhanced security. · - Added configuration files for PrestaShop and Magento. · - Included 'expect' header in restricted headers list. · - Fixed missing capture keyword issue. · - Reduced false positives with JSON payloads. · - Corrected rules to block instead of pass. · - Updated regex to handle new payload formats. |
| nginx-owasp-crs-4.19.0-1.amzn2023.noarch | 225 KiB |
Danila Vershinin (2025-10-03) - upstream release v4.19.0 |
| nginx-owasp-crs-4.18.0-1.amzn2023.noarch | 225 KiB |
Danila Vershinin (2025-09-04) - upstream release v4.18.0 |