diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 38cffbc..86f9f40 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -16,6 +16,9 @@ services:
       - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
       - "--metrics.prometheus.addEntryPointsLabels=true"
       - "--metrics.prometheus.addServicesLabels=true"
+      # --- Coraza WAF ---
+      - "--experimental.plugins.coraza.modulename=github.com/jcchavezs/coraza-http-wasm-traefik"
+      - "--experimental.plugins.coraza.version=v0.2.0"
     ports:
       - "80:80"
       - "443:443"
diff --git a/docker/traefik/dynamic_conf.yml b/docker/traefik/dynamic_conf.yml
index eac73b6..49c2466 100644
--- a/docker/traefik/dynamic_conf.yml
+++ b/docker/traefik/dynamic_conf.yml
@@ -15,20 +15,32 @@ http:
         scheme: https
         permanent: true
 
+    waf:
+      plugin:
+        coraza:
+          directives:
+#            - "SecRuleEngine DetectionOnly"
+            - "SecRuleEngine On"
+            - "SecDebugLog /dev/stdout"
+            - "SecDebugLogLevel 2"
+#            - "SecRule REQUEST_URI \"@rx /admin\" \"id:101,phase:1,log,deny,status:403\""
+            - "SecRule ARGS \"@rx (union|select|insert|drop|alter)\" \"id:102,phase:2,log,deny,status:403\""
+
   routers:
-    # === REST API пользователей ===
+    # --- REST API пользователей ---
     api:
       rule: "Host(`api.eventhub.local`)"
       entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
       service: "api"
     api-secure:
       rule: "Host(`api.eventhub.local`)"
       entryPoints: ["websecure"]
       tls: true
+      middlewares: ["waf"]
       service: "api"
 
-    # === WebSocket пользователей ===
+    # --- WebSocket пользователей ---
     ws:
       rule: "Host(`ws.eventhub.local`)"
       entryPoints: ["web"]
@@ -40,19 +52,20 @@ http:
       tls: true
       service: "ws"
 
-    # === Админский REST ===
+    # --- Админский REST ---
     admin-api:
       rule: "Host(`admin.eventhub.local`)"
       entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
       service: "admin-api"
     admin-api-secure:
       rule: "Host(`admin.eventhub.local`)"
       entryPoints: ["websecure"]
       tls: true
+      middlewares: ["waf"]
       service: "admin-api"
 
-    # === Админский WebSocket ===
+    # --- Админский WebSocket ---
     admin-ws:
       rule: "Host(`admin-ws.eventhub.local`)"
       entryPoints: ["web"]
@@ -85,7 +98,7 @@ http:
         servers:
           - url: "http://fallback:80"
 
-    # === WebSocket пользователей (простой балансировщик) ===
+    # === WebSocket пользователей ===
     ws:
       loadbalancer:
         servers:
@@ -113,7 +126,7 @@ http:
         servers:
           - url: "http://fallback:80"
 
-    # === Админский WebSocket (простой балансировщик) ===
+    # === Админский WebSocket ===
     admin-ws:
       loadbalancer:
         servers: