2026¶

May 14, 2026
in performance
7 min read

First performance benchmark

Barbacana is an HTTP reverse proxy that runs the OWASP CRS v4 ruleset on every request. This blog entry explains how it was benchmarked on two Google Cloud instance types — c3-standard-4 (4 vCPU) and e2-standard-8 (8 vCPU) — across six load tiers from 100 to 1500 requests per second (RPS), using a mixed workload of GET, POST, file uploads, and simulated attack traffic.

Per-vCPU throughput was consistent across both machines at approximately 125 RPS per vCPU. p99 latency stayed between 35 and 65 ms across the operating range, and memory remained between 119 and 137 MB until saturation. All simulated attack requests were blocked at every load level.

CPU profiling confirmed the epxected outcome: the dominant cost is CRS rule evaluation; the proxy layer itself adds no measurable overhead. This post describes the methodology, results, and operational implications.

May 7, 2026
in releases, detection
5 min read

v0.5.0: Base64 decoding and a new XSS detector

v0.5.0 closes the largest detection gap in the v0.1.0 baseline — base64-encoded payloads — and adds three native rules for an XSS evasion shape no upstream CRS rule covers. GoTestWAF moves from 86.16% to 93.65% overall, with the false-positive rate unchanged at 90.78%. CRS conformance under go-ftw holds at 99.75% (4,726 of 4,738 tests pass).

May 4, 2026
in releases, breaking-changes
8 min read

v0.4.0: Easier to configure, with new opt-in aggressive rules

This release makes Barbacana easier to configure. Protection names are rewritten in plain language, the rule catalog is reorganized into a three-level tree, and aggressive rules with high false-positive rates move to a new opt-in enable: list. A few security headers that were breaking apps in surprising ways are now off by default. A latent bug that prevented response-side detection from running is fixed. Detection rates on the request side are practically unchanged.

This is a breaking change, but the migration is straightforward.

April 22, 2026
in security, releases
6 min read

v0.1.0 Security Baseline: What Barbacana Catches, What It Misses, and What Comes Next

Barbacana v0.1.0 is out. Right after the release, two independent test suites were run to measure what the WAF catches and what it misses. For a first release, the numbers are good: 99.7% on the OWASP CRS v4 conformance tests, 100% on API Security (REST and SOAP), and 90.78% of legitimate traffic allowed through. The full results are published below, without any filtering. It is more useful to know where detection fails than to publish a clean summary.