Claude Code for ModSecurity WAF Workflow Guide

ModSecurity is the de facto open-source Web Application Firewall (WAF) that protects web applications from a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Integrating Claude Code into your ModSecurity workflow can dramatically accelerate rule development, simplify configuration management, and help troubleshoot false positives efficiently. This guide walks you through practical workflows for using Claude Code with ModSecurity.

Setting Up Your ModSecurity Development Environment

Before diving into rule development, ensure you have a proper development environment. Claude Code can help you set this up quickly.

Start by creating a working directory for your ModSecurity configurations:

mkdir -p ~/modsecurity-rules/{rules,logs,conf}
cd ~/modsecurity-rules

Next, create a basic ModSecurity configuration file that Claude Code can help you expand:

ServerName localhost
LoadModule mod_security2 modules/mod_security2.so
LoadModule mod_unique_id modules/mod_unique_id.so

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyLimitAction Reject
    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000
    
    # Include your custom rules
    Include rules/*.conf
</IfModule>

Claude Code can review this configuration and suggest improvements based on your specific application requirements. Simply ask: “Review this ModSecurity configuration and suggest hardening recommendations.”

Writing Effective ModSecurity Rules with Claude Code

ModSecurity rules use the SecRule directive to inspect requests and responses. Claude Code excels at generating and refining these rules based on security best practices.

Basic Rule Structure

A ModSecurity rule follows this pattern:

SecRule VARIABLES "OPERATOR" "ACTIONS"

For example, to block SQL injection attempts in query parameters:

SecRule ARGS:id "@rx (?i)(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE)\b)" \
    "id:1001,deny,status:403,msg:'SQL Injection Attempt',logdata:'Matched %{MATCHED_VAR}'"

Claude Code can help you generate rules for common attack patterns. Simply describe your requirement:

• “Create a rule to detect XSS attempts in all request parameters”
• “Write rules to protect against path traversal in file upload forms”
• “Generate rules to block common remote file inclusion patterns”

Rule Chaining for Complex Conditions

Many security scenarios require combining multiple conditions. Claude Code can help you construct rule chains:

# Block IP if they trigger 5 or more rules within 60 seconds
SecRule IP:COUNT "@gt 5" \
    "id:2001,deny,status:403,msg:'Rate Limit Exceeded',phase:1, \
    chain,setvar:IP.COUNT=+1,expirevar:IP.COUNT=60"
SecRule &IP:COUNT "@eq 0"

Using OWASP ModSecurity Core Rule Set (CRS)

The OWASP CRS provides a comprehensive set of rules out of the box. Claude Code can help you integrate and customize CRS for your application:

# Include CRS with minimal configuration
Include crs/crs-setup.conf
Include crs/rules/*.conf

# Override specific rules for your application
SecRuleUpdateActionById 942100 "log,pass"

Ask Claude Code to explain specific CRS rules or help you create application-specific exclusions without weakening your security posture.

Troubleshooting False Positives

False positives are one of the biggest challenges when deploying ModSecurity. Claude Code can help you diagnose and resolve them systematically.

Analyzing Audit Logs

ModSecurity’s audit logs contain detailed information about each transaction. Use this command to extract relevant entries:

grep "id:1001" /var/log/modsec_audit.log | tail -50

Then ask Claude Code to analyze the log entry and suggest rule refinements. For example:

“Here’s a blocked request that appears to be a false positive. Analyze the payload and suggest how to modify the rule to allow this legitimate traffic while still catching malicious requests.”

Creating Targeted Exclusions

When you need to create exclusions, always make them as specific as possible:

# Only exclude for specific URI and parameter combination
SecRule ARGS:id "@rx ^[0-9]+$" \
    "id:1002,phase:1,pass,ctl:ruleRemoveById=1001"

Claude Code can help you write exclusion rules that are specific to your application’s legitimate traffic patterns, avoiding overly broad bypasses.

Automating Rule Testing

Testing ModSecurity rules is critical before deployment. Claude Code can help you create automated test suites.

Using curl for Basic Tests

Test a rule with a simple curl command:

curl -H "X-Forwarded-For: 1.2.3.4" "http://localhost/test?id=1' OR '1'='1"

Check the error log:

```bash tail -f /var/log/modsec_error.log

### Creating a Test Script

Claude Code can generate a comprehensive test script:

```bash
#!/bin/bash
# test-modsecurity.sh

TEST_HOST="localhost"
TEST_URI="/api/users"

# Test cases: (description, expected_block, payload)
declare -a TESTS=(
    "SQL Injection Test,true,id=1' OR '1'='1"
    "XSS Test,true,name=<script>alert(1)</script>"
    "Valid Request,false,name=John"
)

for test in "${TESTS[@]}"; do
    IFS=',' read -r desc expected payload <<< "$test"
    response=$(curl -s -o /dev/null -w "%{http_code}" \
        "$TEST_HOST$TEST_URI?$payload")
    
    if [[ "$expected" == "true" && "$response" == "403" ]]; then
        echo "[PASS] $desc - Correctly blocked"
    elif [[ "$expected" == "false" && "$response" != "403" ]]; then
        echo "[PASS] $desc - Correctly allowed"
    else
        echo "[FAIL] $desc - Expected $expected, got $response"
    fi
done

Ask Claude Code to expand this with more comprehensive test cases covering different attack vectors and legitimate use cases.

Best Practices for Claude Code with ModSecurity

Follow these recommendations for productive Claude Code workflows:

1. Start with CRS: Begin with the OWASP Core Rule Set and customize from there rather than writing rules from scratch.

2. Test in Detection Mode First: Deploy new rules in detection mode (SecRuleEngine DetectionOnly) before blocking traffic.

3. Log Extensively: Enable detailed logging during development to understand rule behavior.

4. Version Control Your Rules: Keep your ModSecurity configurations in git. Claude Code can help you write commit messages and track changes.

5. Document Rule Rationale: Add meaningful msg and logdata actions so future maintainers understand why each rule exists.

6. Review Logs Regularly: Use Claude Code to analyze blocked requests weekly and identify patterns that need rule adjustments.

Conclusion

Claude Code transforms ModSecurity WAF management from a tedious manual process into an efficient, assisted workflow. By using Claude Code for rule generation, configuration review, false positive analysis, and test automation, you can maintain robust web application security without sacrificing development speed. Start integrating these patterns into your workflow today, and you’ll see faster rule deployment cycles and more effective protection against web application threats.

Related Reading

• Claude Code for Beginners: Complete Getting Started Guide
• Best Claude Skills for Developers in 2026
• Claude Skills Guides Hub

Built by theluckystrike — More at zovo.one