corazawaf
diff --git a/‎.github/workflows/close-issues.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/close-issues.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 10 additions & 0 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/fuzz.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/fuzz.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 8 additions & 0 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.github/workflows/regression.yml‎
Lines changed: 38 additions & 23 deletions b/‎.github/workflows/regression.yml‎
Lines changed: 38 additions & 23 deletions
diff --git a/‎.github/workflows/tinygo.yml‎
Lines changed: 11 additions & 3 deletions b/‎.github/workflows/tinygo.yml‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 3 deletions b/‎README.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎config.go‎
Lines changed: 7 additions & 0 deletions b/‎config.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coraza.conf-recommended‎
Lines changed: 7 additions & 12 deletions b/‎coraza.conf-recommended‎
Lines changed: 7 additions & 12 deletions
diff --git a/‎examples/http-server/go.mod‎
Lines changed: 5 additions & 5 deletions b/‎examples/http-server/go.mod‎
Lines changed: 5 additions & 5 deletions
@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
 
@@ -3,10 +3,20 @@ on:
   pull_request:
   schedule:
     - cron: '0 6 * * 6'
+
+permissions: {}
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
 
     steps:
     - name: Checkout repository
 
@@ -6,15 +6,20 @@ on:
     - cron: "05 14 * * *"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   fuzz:
     name: Fuzz tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
-          go-version: ">=1.24.0"
+          go-version: ">=1.25.0"
       - run: go run mage.go fuzz
       - run: |
           gh issue create --title "$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER failed" \
 
@@ -14,9 +14,17 @@ on:
       - "**/*.md"
       - "LICENSE"
 
+permissions: {}
+
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
       - name: Install Go
 
@@ -8,37 +8,51 @@ on:
       - "**/*.md"
       - "LICENSE"
   pull_request:
+    branches:
+      - main
     paths-ignore:
       - "**/*.md"
       - "LICENSE"
 
-jobs:
-  # Generate matrix of tags for all permutations of the tests
-  generate-matrix:
-    runs-on: ubuntu-latest
-    outputs:
-      tags: ${{ steps.generate.outputs.tags }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+permissions: {}
+
+concurrency:
+  group: regression-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
-      - name: Generate tag combinations
-        id: generate
-        run: |
-          go run mage.go tagsmatrix > tags.json
-          echo "tags=$(cat tags.json)" >> "$GITHUB_OUTPUT"
-        shell: bash
+jobs:
   test:
-    needs: generate-matrix
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.24.x, 1.25.x]
+        go-version: [1.25.x]
         os: [ubuntu-latest]
-        build-flag: ${{ fromJson(needs.generate-matrix.outputs.tags) }}
+        build-flag:
+          - ""
+          - "coraza.rule.mandatory_rule_id_check"
+          - "coraza.rule.case_sensitive_args_keys"
+          - "coraza.rule.no_regex_multiline"
+          - "coraza.no_memoize"
+          - "coraza.rule.multiphase_evaluation"
+          - "no_fs_access"
+          - "coraza.rule.multiphase_evaluation,coraza.rule.mandatory_rule_id_check"
+          - "coraza.rule.multiphase_evaluation,coraza.rule.case_sensitive_args_keys"
+          - "coraza.rule.multiphase_evaluation,coraza.rule.no_regex_multiline"
+          - "no_fs_access,coraza.no_memoize"
+          - "coraza.rule.mandatory_rule_id_check,coraza.rule.case_sensitive_args_keys,coraza.rule.no_regex_multiline"
+          - "coraza.rule.multiphase_evaluation,coraza.rule.mandatory_rule_id_check,coraza.rule.case_sensitive_args_keys,coraza.rule.no_regex_multiline,coraza.no_memoize,no_fs_access"
+        include:
+          - go-version: 1.26.x
+            os: ubuntu-latest
+            build-flag: ""
+          - go-version: 1.26.x
+            os: ubuntu-latest
+            build-flag: "coraza.rule.multiphase_evaluation,coraza.rule.mandatory_rule_id_check,coraza.rule.case_sensitive_args_keys,coraza.rule.no_regex_multiline,coraza.no_memoize,no_fs_access"
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     env:
-      GOLANG_BASE_VERSION: "1.24.x"
+      GOLANG_BASE_VERSION: "1.25.x"
     steps:
       - name: Checkout code
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
@@ -48,9 +62,9 @@ jobs:
           go-version: ${{ matrix.go-version }}
           cache: true
       - name: Tests and coverage
-        run: |
-          export BUILD_TAGS=${{ matrix.build-flag }}
-          go run mage.go coverage
+        env:
+          BUILD_TAGS: ${{ matrix.build-flag }}
+        run: go run mage.go coverage
       - name: "Codecov: General"
         uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         if: ${{ matrix.go-version == env.GOLANG_BASE_VERSION }}
@@ -84,12 +98,13 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       checks: read
+      contents: read
     steps:
       - name: GitHub Checks
         uses: poseidon/wait-for-status-checks@899c768d191b56eef585c18f8558da19e1f3e707 # v0.6.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          delay: 120s # give some time to matrix jobs
+          delay: 30s
           interval: 10s # default value
           timeout: 3600s # default value
           ignore: "codecov/patch,codecov/project"
@@ -14,15 +14,23 @@ on:
       - "**/*.md"
       - "LICENSE"
 
+permissions: {}
+
+concurrency:
+  group: tinygo-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.24.x]
+        go-version: [1.25.x]
         # tinygo-version is meant to stay aligned with the one used in corazawaf/coraza-proxy-wasm
         tinygo-version: [0.40.1]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
@@ -53,5 +61,5 @@ jobs:
       - name: Tests
         run: tinygo test -v -short ./internal/...
 
-      - name: Tests memoize
-        run: tinygo test -v -short -tags=memoize_builders ./internal/...
+      - name: Tests no_memoize
+        run: tinygo test -v -short -tags=coraza.no_memoize ./internal/...
@@ -100,9 +100,11 @@ have compatibility guarantees across minor versions - use with care.
 the operator with `plugins.RegisterOperator` to reduce binary size / startup overhead.
 * `coraza.rule.multiphase_evaluation` - enables evaluation of rule variables in the phases that they are ready, not
 only the phase the rule is defined for.
-* `memoize_builders` - enables memoization of builders for regex and aho-corasick
-dictionaries to reduce memory consumption in deployments that launch several coraza
-instances. For more context check [this issue](https://github.com/corazawaf/coraza-caddy/issues/76)
+* `coraza.no_memoize` - disables the default memoization of regex and aho-corasick builders.
+Memoization is enabled by default and uses a global cache to reuse compiled patterns across WAF
+instances, reducing memory consumption and startup overhead. In long-lived processes that perform
+live reloads, use `WAF.Close()` (via `experimental.WAFCloser`) to release cached entries when a
+WAF is destroyed, or use this tag to opt out of memoization entirely.
 * `no_fs_access` - indicates that the target environment has no access to FS in order to not leverage OS' filesystem related functionality e.g. file body buffers.
 * `coraza.rule.case_sensitive_args_keys` - enables case-sensitive matching for ARGS keys, aligning Coraza behavior with RFC 3986 specification. It will be enabled by default in the next major version.
 * `coraza.rule.no_regex_multiline` - disables enabling by default regexes multiline modifiers in `@rx` operator. It aligns with CRS expected behavior, reduces false positives and might improve performances. No multiline regexes by default will be enabled in the next major version. For more context check [this PR](https://github.com/corazawaf/coraza/pull/876)
 
@@ -94,6 +94,7 @@ type wafRule struct {
 // int is a signed integer type that is at least 32 bits in size (platform-dependent size).
 // We still basically assume 64-bit usage where int are big sizes.
 type wafConfig struct {
+	ruleObserver             func(rule types.RuleMetadata)
 	rules                    []wafRule
 	auditLog                 *auditLogConfig
 	requestBodyAccess        bool
@@ -119,6 +120,12 @@ func (c *wafConfig) WithRules(rules ...*corazawaf.Rule) WAFConfig {
 	return ret
 }
 
+func (c *wafConfig) WithRuleObserver(observer func(rule types.RuleMetadata)) WAFConfig {
+	ret := c.clone()
+	ret.ruleObserver = observer
+	return ret
+}
+
 func (c *wafConfig) WithDirectivesFromFile(path string) WAFConfig {
 	ret := c.clone()
 	ret.rules = append(ret.rules, wafRule{file: path})
 
@@ -34,6 +34,9 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
      "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
+# Configures the maximum JSON recursion depth limit Coraza will accept.
+SecRequestBodyJsonDepthLimit 1024
+
 # Enable JSON stream request body parser for NDJSON (Newline Delimited JSON) format.
 # This processor handles streaming JSON where each line contains a complete JSON object.
 # Commonly used for bulk data imports, log streaming, and batch API endpoints.
@@ -48,14 +51,6 @@ SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
 #SecRule REQUEST_HEADERS:Content-Type "^application/json-seq" \
 #     "id:'200010',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSONSTREAM"
 
-# Optional: Limit the number of JSON objects in NDJSON/JSON Sequence streams to prevent abuse
-# Uncomment and adjust the limit as needed for your bulk endpoints
-#
-#SecRule TX:jsonstream_request_line_count "@gt 1000" \
-#     "id:'200009',phase:2,t:none,deny,status:413,\
-#     msg:'Too many JSON objects in stream',\
-#     logdata:'Line count: %{TX.jsonstream_request_line_count}'"
-
 # Maximum request body size we will accept for buffering. If you support
 # file uploads, this value must has to be as large as the largest file
 # you are willing to accept.
@@ -143,11 +138,11 @@ SecDataDir /tmp/
 #
 #SecUploadDir /opt/coraza/var/upload/
 
-# If On, the WAF will store the uploaded files in the SecUploadDir
-# directory.
-# Note: SecUploadKeepFiles is currently NOT supported by Coraza
+# Controls whether intercepted uploaded files will be kept after
+# transaction is processed. Possible values: On, Off, RelevantOnly.
+# RelevantOnly will keep files only when a matching rule is logged (rules with 'nolog' do not qualify).
 #
-#SecUploadKeepFiles Off
+#SecUploadKeepFiles RelevantOnly
 
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to
 
@@ -1,21 +1,21 @@
 module github.com/corazawaf/coraza/v3/examples/http-server
 
-go 1.24.0
+go 1.25.0
 
 require github.com/corazawaf/coraza/v3 v3.3.3
 
 require (
-	github.com/corazawaf/libinjection-go v0.2.2 // indirect
+	github.com/corazawaf/libinjection-go v0.3.2 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/magefile/mage v1.15.1-0.20250615140142-78acbaf2e3ae // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20250424160509-463d218d4745 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	rsc.io/binaryregexp v0.2.0 // indirect
 )