Barbacana¶
Secure by default. Simple by design.
Barbacana is an open-source WAF and API security gateway. It sits between the internet and your application, inspects every HTTP request for known attack patterns — SQL injection, XSS, command injection, path traversal, and hundreds more — and blocks malicious requests before they reach your code.
Quickstart¶
docker run --rm -p 8080:8080 \
-v $(pwd)/waf.yaml:/etc/barbacana/waf.yaml:ro \
ghcr.io/barbacana-waf/barbacana:latest
That's it. Every protection is on by default. Full quickstart →
Why Barbacana¶
Most WAFs need deep security expertise, a full platform, or a cloud subscription. Barbacana gives you production-grade protection with a YAML file, human-readable protection names, and a single binary.
You disable sql-injection-union on a noisy route — not SecRuleRemoveById 942100.
-
Secure by default
Every protection on at install. You disable what you don't need.
-
Simple YAML
No rule syntax, no DSL. Three lines of YAML protect a route.
-
Auto-TLS
Add a hostname; certificates provision and renew automatically.
-
Single binary
No platform to operate. One container image, one config file.
-
500+ OWASP rules
Backed by the OWASP Core Rule Set, exposed as named protections.
Built on¶
- Caddy — HTTP server, TLS, HTTP/2, HTTP/3, reverse proxy
- Coraza — WAF engine (pure Go, no CGO)
- OWASP CRS v4 — attack detection rules
Barbacana wraps all three so you don't have to learn any of them.
Thanks¶
Barbacana stands on the shoulders of the Caddy, Coraza, and OWASP CRS communities. Two decades of work by their maintainers, contributors, and researchers make this project possible — a handful of YAML lines can deliver production-grade protection only because that groundwork already exists. Thank you.