Skip to content

docs: add blogpost on CRSLang #449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fzipi wants to merge 4 commits into
base: main
Choose a base branch
from
Open

docs: add blogpost on CRSLang #449

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
24bc0ed
docs: add blogpost on CRSLang
fzipi Jan 22, 2026
443929f
fix: code examples
fzipi Feb 1, 2026
1be6a58
Merge branch 'main' into feat/add-blogpost-crslang
fzipi Feb 1, 2026
364a15a
Update content/blog/2026-01-22-introducing-crslang-the-next-generatio…
fzipi Feb 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions content/blog/2026-01-22-introducing-crslang-the-next-generation-rule-language.md
View file
Open in desktop
Copy link
Contributor

@theseion theseion Feb 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to make it more clear that we don't see CRSLang necessarily as a language that engines will parse but a language for rule writers. We should highlight our vision that the tooling will provide the following functions:

  • transform rules into different engine formats (transformers take into account engine quirks)
  • engine specific output can be filtered, e.g., by tag, platform to produce minimal / application specific rule sets
  • engine specific output can be augmented with additional information, e.g., tags, comments, etc.

Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
title: 'Introducing CRSLang: The Next Generation Rule Language for OWASP CRS'
date: '2026-01-22'
author: fzipi
categories:
- Blog
---

We're excited to introduce **CRSLang**, a new YAML-based rule language that will replace Seclang in the next major release of OWASP CRS. This represents a significant evolution in how we write, maintain, and deploy WAF rules.

## Why CRSLang?

For nearly two decades, the OWASP CRS has relied on ModSecurity's Seclang syntax. While Seclang has served us well, it comes with significant limitations that have become increasingly apparent as the project has grown:

### The Problems with Seclang

- **Technology Lock-in**: Rules are tightly coupled to ModSecurity syntax, making it difficult to support other WAF engines
- **Portability Issues**: Direct deployment to alternative WAF platforms requires significant translation efforts
- **Complexity**: Rules are hard to read, write, and maintain, with all components mixed in long strings
- **Learning Curve**: The steep barrier to entry discourages new contributors
- **Limited Expressiveness**: Complex logical conditions (especially OR operations) require workarounds, and there's no support for template functions

Consider this typical Seclang rule:

```apache
# Validate request line against the format specified in the HTTP RFC
SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]..." \
"id:920100,\
phase:1,\
block,\
t:none,\
msg:'Method is not allowed by policy',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'attack-protocol',\
ver:'OWASP_CRS/4.0.0',\
severity:'WARNING'"