@coraza/express — live demo

This Express server runs OWASP Coraza WAF (compiled to WebAssembly) with the full OWASP CoreRuleSet, in block mode.

Try these:

/search?q=hello — benign request, passes through
/search?q=' OR 1=1-- — SQL injection, blocked
/search?q=<script>alert(1)</script> — XSS, blocked
POST /echo with JSON body — echoes back, scanned for payloads

How it works. The middleware runs every request through CRS rules compiled into a WASM transaction. If any rule matches with a deny action, Express returns a 403 before your handler runs.

Source: jptosso/coraza-node-example-express · Library: jptosso/coraza-node · Docs: jptosso.github.io/coraza-node