Quietly proud of this one. My first contribution to the OWASP Core Rule Set shipped in v4.24.1 on March 9, 2026.
What shipped
Rule 930140 — AI coding assistant artifact protection (PR #4519)
AI coding assistants like GitHub Copilot, Cursor, and Claude Code generate a growing set of configuration, context, and memory files alongside your code. These files — .cursorrules, CLAUDE.md, .github/copilot-instructions.md, and others — often contain sensitive context: system prompts, internal architecture notes, API patterns, and instructions that were never intended to be publicly accessible.
If any of these files end up in a web root and get served by accident, they're a low-noise information disclosure. The rule detects attempts to access them and blocks the request.
Why I worked on this
I spend a lot of time at the intersection of WAF and modern development workflows. As AI coding tools became part of everyday dev, I started noticing these artifact files appearing in production environments — not from malice, just the natural messiness of how projects grow. It felt like a gap worth filling.
Contributing to CRS has been on my list for a while. Getting a rule into the ruleset is a process — the community is rigorous about false positive analysis, coverage, and documentation. That rigour is exactly why CRS is trusted.
OWASP CRS
The OWASP Core Rule Set is the de facto open source WAF ruleset, used by ModSecurity, Coraza, AWS WAF managed rules, and dozens of other WAF implementations worldwide. If you run a WAF, there's a good chance CRS is underneath it.
v4.24.1 also shipped scanner agent expansions, a fix to avoid inspecting cookies twice, and a large batch of regex-assembly refactors from the core team.