Add Coraza WAF to Caddy for Enhanced Security

[Copilot]

Description

Integrates Coraza WAF v2 with Caddy server to provide application-layer security against common web attacks.

Fixes #1724

Type of change

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

Changes

Multi-stage Docker build (frontend/Dockerfile)

• Added builder stage using xcaddy with github.com/corazawaf/coraza-caddy/v2
• Custom Caddy binary replaces stock Alpine image
• Secure WAF data directory (/tmp/coraza/) with 700 permissions

WAF configuration (frontend/coraza.conf)

• Coraza built-in SQLi and XSS detection operators
• Custom rules for SQL injection patterns (comments, stored procedures: sp_, xp_, exec)
• Path traversal protection including double URL-encoding (%252e%252e) and mixed-case variants
• Blocks 13 sensitive paths: .env, .git, .ssh, .aws, .htaccess, .htpasswd, web.config, admin, config, backup, tmp, logs, wp-admin
• Security scanner blocking via User-Agent patterns
• Audit logging to stdout
• Proper line endings (LF) with final newline per .editorconfig standards

Caddyfile integration (frontend/Caddyfile)

coraza_waf {
    directives `
        Include /etc/caddy/coraza.conf
    `
}

Documentation (README.md)

• Added WAF to features list and stack description

How Has This Been Tested?

• No new tests are required
• Manual tests (description below)

WAF functionality will be validated through existing CI/CD pipeline:

• Docker image build with custom Caddy
• E2E tests ensure no functional regression
• Trivy security scanning

Checklist

• I have read the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have already been accepted and merged

Further comments

Security rules use defense-in-depth approach:

1. Coraza's built-in ML-based detection for SQLi/XSS
2. Pattern-based rules for specific attack vectors
3. Sensitive path blocking prevents information disclosure

Regex patterns optimized with lazy matching (.*?) and word boundaries (\b) to balance security effectiveness with performance and false positive rates.

All files follow .editorconfig standards with LF line endings and final newlines.

References:

• https://github.com/corazawaf/coraza-caddy
• https://medium.com/@jptosso/oss-waf-stack-using-coraza-caddy-and-elastic-3a715dcbf2f2

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Increase Security by adding waf to caddy</issue_title>
<issue_description>
https://github.com/corazawaf/coraza-caddy</issue_description>

<agent_instructions>https://github.com/bcgov/copilot-instructions/blob/main/.github/copilot-upstream.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@mishraomp https://medium.com/@jptosso/oss-waf-stack-using-coraza-caddy-and-elastic-3a715dcbf2f2

• Fixes Increase Security by adding waf to caddy #1724

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[DerekRoberts]

@copilot Please make sure all files have the correct line endings.

[Copilot]

Fixed in f0dee6f. Added final newline to coraza.conf to comply with .editorconfig (insert_final_newline = true). All files now use LF line endings with proper final newlines.