Traefik WASM Plugins: Write Middleware in Any Language

Dec 4, 2025

traefikwasmwebassemblyproxymiddleware

Traefik Proxy v3 introduced WebAssembly (WASM) plugin support, allowing you to write middleware in languages beyond Go—including Rust, C/C++, and JavaScript. This is a major leap from the previous Yaegi-only approach.

Why WASM over Yaegi?

Before v3, Traefik plugins required Go code interpreted by Yaegi, an embedded Go interpreter. While convenient (no compilation needed), Yaegi has limitations:

Performance: Interpreted, not compiled to native code
Language lock-in: Go only
Incomplete Go spec: Not all Go features are supported
No external packages: Can’t import third-party Go libraries

WASM plugins solve all of these:

Aspect	Yaegi	WASM
Performance	Interpreted	Near-native
Languages	Go only	Go, Rust, C, JS, etc.
Security	Runs in process	Sandboxed isolation
External deps	Not supported	Language-dependent

Security: The Sandbox Advantage

WASM plugins run in a sandboxed environment, isolated from the core Traefik process. Even if a plugin contains vulnerable or malicious code, it cannot directly compromise Traefik itself. This is a significant security improvement over Yaegi plugins, which run in the same process.

Configuration Example

Static config (declare the plugin):

experimental:
  plugins:
    example:
      moduleName: github.com/traefik/plugindemowasm
      version: v0.0.1

Dynamic config (apply as middleware):

http:
  middlewares:
    my-plugin:
      plugin:
        example:
          headers:
            Foo: Bar

Real-World Use Case: Coraza WAF

Traefik v3 shipped with its first official WASM plugin: Coraza WAF, an open-source Web Application Firewall. It demonstrates the power of WASM—running complex security logic at near-native speed within Traefik’s request pipeline.

Development Workflow

Write your plugin in Go (using TinyGo to compile to WASM) or Rust
Compile to plugin.wasm
Create a .traefik.yml manifest
Test locally in ./plugins-local/src/github.com/[org]/[name]/
Publish to GitHub with the traefik-plugin topic for catalog discovery

Key Takeaways

WASM = performance + security + language choice for Traefik middleware
Sandboxing isolates plugins from the proxy core
Coraza WAF proves WASM is production-ready for security-critical workloads
The Traefik plugin catalog auto-discovers properly tagged GitHub repos
Yaegi still works for simple, Go-only plugins where convenience matters more than performance

The shift from interpreted to compiled plugins mirrors what we’re seeing across the industry—WASM is becoming the universal runtime for extensibility.