feat: OWASP Coraza WAF for enhanced security

[Copilot]

Description

Integrates Coraza WAF v2 with Caddy server to provide application-layer security against common web attacks.

Fixes #1724

Type of change

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

Changes

Multi-stage Docker build (frontend/Dockerfile)

• Added builder stage using xcaddy with github.com/corazawaf/coraza-caddy/v2
• Custom Caddy binary replaces stock Alpine image
• Secure WAF data directory (/tmp/coraza/) with 700 permissions

WAF configuration (frontend/coraza.conf)

• Coraza built-in SQLi and XSS detection operators
• Custom rules for SQL injection patterns (comments, stored procedures: sp_, xp_, exec)
• Path traversal protection including double URL-encoding (%252e%252e) and mixed-case variants
• Blocks 13 sensitive paths: .env, .git, .ssh, .aws, .htaccess, .htpasswd, web.config, admin, config, backup, tmp, logs, wp-admin
• Security scanner blocking via User-Agent patterns
• Audit logging to stdout
• Proper line endings (LF) with final newline per .editorconfig standards

Caddyfile integration (frontend/Caddyfile)

coraza_waf {
    directives `
        Include /etc/caddy/coraza.conf
    `
}

Documentation (README.md)

• Added WAF to features list and stack description

How Has This Been Tested?

• No new tests are required
• Manual tests (description below)

WAF functionality will be validated through existing CI/CD pipeline:

• Docker image build with custom Caddy
• E2E tests ensure no functional regression
• Trivy security scanning

Checklist

• I have read the CONTRIBUTING doc
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have already been accepted and merged

Further comments

Security rules use defense-in-depth approach:

1. Coraza's built-in ML-based detection for SQLi/XSS
2. Pattern-based rules for specific attack vectors
3. Sensitive path blocking prevents information disclosure

Regex patterns optimized with lazy matching (.*?) and word boundaries (\b) to balance security effectiveness with performance and false positive rates.

All files follow .editorconfig standards with LF line endings and final newlines.

References:

• https://github.com/corazawaf/coraza-caddy
• https://medium.com/@jptosso/oss-waf-stack-using-coraza-caddy-and-elastic-3a715dcbf2f2

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Increase Security by adding waf to caddy</issue_title>
<issue_description>
https://github.com/corazawaf/coraza-caddy</issue_description>

<agent_instructions>https://github.com/bcgov/copilot-instructions/blob/main/.github/copilot-upstream.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@mishraomp https://medium.com/@jptosso/oss-waf-stack-using-coraza-caddy-and-elastic-3a715dcbf2f2

• Fixes Increase Security by adding waf to caddy #1724

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Thanks for the PR!

Deployments, as required, will be available below:

• Frontend
• Backend

Please create PRs in draft mode. Mark as ready to enable:

• Analysis Workflow

After merge, new images are deployed in:

• Merge Workflow

[Copilot]

Pull request overview

This PR integrates Coraza WAF v2 with the Caddy server to provide application-layer security against common web attacks including SQL injection, XSS, path traversal, and security scanner detection.

Key Changes:

• Multi-stage Docker build to compile custom Caddy binary with Coraza WAF plugin
• Comprehensive WAF rule configuration with SQL injection, XSS, path traversal, and sensitive path protection
• Updated documentation to reflect the new security feature

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 11 comments.

File	Description
frontend/Dockerfile	Adds multi-stage build with xcaddy builder to compile Coraza WAF plugin, creates WAF data directories
frontend/coraza.conf	New WAF configuration file with security rules for SQL injection, XSS, path traversal, null byte injection, and sensitive path blocking
frontend/Caddyfile	Integrates Coraza WAF by including the configuration file in the global directives block
README.md	Updates feature list and stack description to mention Coraza WAF integration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.