v1.4.0 — HPP protection, CSRF hardening, 14 audit rules

Security middleware that just works

One line of code. 45+ security flaws neutralized at runtime. Zero dependencies. Zero configuration. Node.js, Python, and Go.

Get Started View on GitHub
app.js
import { arcis } from '@arcis/node';

// That's it. 45+ security flaws handled.
app.use(arcis());
Works with your stack
·
Express
·
FastAPI
·
Flask
·
Django
·
Gin
·
Echo
·
net/http
·
Fastify
·
Koa
·
Hono
·
Express
·
FastAPI
·
Flask
·
Django
·
Gin
·
Echo
·
net/http
·
Fastify
·
Koa
·
Hono
45+
Security Flaws Handled
3
SDKs — Node, Python, Go
2,795+
Tests Passing
0
Dependencies
What Makes Arcis Different

We don't just detect threats.
We neutralize them.

Other tools report possibilities. Arcis removes the danger before your code ever sees it. One package replaces your entire security middleware stack.

Zero Configuration

Secure defaults out of the box. Every protection is on by default. You opt out, never in.

  • HttpOnly, Secure, SameSite cookies by default
  • All 15 security headers pre-configured
  • Rate limiting active at 100 req/60s

Remove, Don't Report

Most tools flag vulnerabilities. Arcis strips the attack payload and lets safe content through. No manual triage.

  • Remove-then-encode sanitization pipeline
  • Idempotent: safe input is never corrupted
  • Sub-5ms overhead per request

True Cross-Language Parity

Same input produces the same output in Node.js, Python, and Go. Not "similar" — identical. Shared test vectors enforce it.

  • 2,800+ shared test cases across 3 SDKs
  • Shared regex patterns from patterns.json
  • Contract-first: spec before code

Zero Dependencies

Every line of detection logic lives inside the package. No transitive deps. No supply chain attack surface.

  • Self-contained regex engine
  • No node_modules bloat
  • Auditable in minutes, not hours

Supply Chain Scanner

arcis sca detects compromised npm and PyPI packages from real-world supply chain attacks. CI exit codes included.

  • Detects trojanized axios (npm), litellm (PyPI)
  • Scans lockfiles, node_modules, pip packages
  • Finds persistent .pth backdoors

Fail Open, Never Crash

If Redis goes down, requests still flow. Availability beats denial. Your rate limiter should never take down your app.

  • Infrastructure errors allow requests through
  • Pluggable stores: memory (default) or Redis
  • Thread-safe across all three languages
The Problem

8 libraries or 1 line of code?

Without Arcis

  • helmet for security headers
  • DOMPurify for XSS sanitization
  • express-rate-limit for rate limiting
  • csurf for CSRF protection
  • cors for CORS handling
  • hpp for parameter pollution
  • express-validator for input validation
  • cookie-parser for secure cookies
  • 8 APIs. 8 configs. 8 update cycles.

With Arcis

  • One package: @arcis/node
  • One line: app.use(arcis())
  • 45+ flaws covered instantly
  • Zero dependencies to audit
  • Same API across 3 languages
  • Secure defaults, no config needed
  • Updates one package, not eight
  • Works with any framework
  • Ship fast. Ship safe.
Capabilities

Everything you need to secure your backend

Input Sanitization

Strip dangerous patterns from user input before your code processes it. Remove-then-encode pipeline prevents bypass attacks.

  • XSS, SQL, NoSQL, command injection
  • Path traversal, SSTI, XXE, JSONP
  • Header injection, prototype pollution
  • Case-insensitive, encoding-aware matching

Rate Limiting

Three algorithms with pluggable storage. Per-IP isolation, automatic cleanup, and X-RateLimit-* response headers.

  • Fixed window, sliding window, token bucket
  • In-memory (default) or Redis store
  • Fail-open on infrastructure errors
  • Thread-safe across all languages

Context-Aware Encoding

Output the right encoding for every context. Prevents XSS where sanitization alone isn't enough.

  • encodeForHtml() — HTML body context
  • encodeForJs() — JavaScript strings
  • encodeForUrl() — URL parameters
  • encodeForCss(), encodeForAttribute()

Input Validation

Schema-based validation with mass assignment prevention. Only fields you define reach your code.

  • Type checking, ranges, enums, patterns
  • Email validation with MX verification
  • File upload validation (type, size, name)
  • Unknown fields silently dropped

Security Headers & CORS

15 security headers set automatically. Whitelist-based CORS with Vary: Origin. Null origin blocked.

  • CSP, HSTS, X-Frame-Options, COOP
  • CORP, COEP, Origin-Agent-Cluster
  • X-Content-Type-Options, X-DNS-Prefetch
  • Secure cookie enforcement by default

CLI Security Tools

Scan your codebase for vulnerabilities and compromised packages directly from the terminal.

  • arcis sca — supply chain attack scanner
  • arcis scan — vulnerability scanner
  • arcis audit — static analysis (14 rules)
  • CI-friendly exit codes
Architecture

How Arcis protects every request

Every incoming request passes through a six-stage security pipeline before reaching your application logic. Every outgoing response is hardened before reaching the client.

1

Rate Limiting

Per-IP flood protection. Fixed window, sliding window, or token bucket. In-memory or Redis-backed.

429 Too Many Requests
2

Bot Detection

80+ patterns across 7 categories: crawlers, scrapers, AI bots, CLI tools, and behavioral fingerprinting.

403 Forbidden
3

Input Sanitization

Strip XSS, SQL injection, NoSQL, command injection, path traversal, SSTI, XXE, JSONP, header injection, prototype pollution, HTTP parameter pollution.

11 attack vectors neutralized
4

CSRF Verification

Double-submit cookie pattern with constant-time token comparison. Per-request skipCsrf callback and __Host- cookie prefix support.

403 CSRF Token Invalid
5

Your Code Runs

Clean, validated, sanitized input. Your application logic never sees raw attack payloads. Only safe data reaches your handlers.

200 OK — safe and sound
6

Response Hardening

15 security headers, secure cookies (HttpOnly, Secure, SameSite), CORS enforcement, error scrubbing — all applied automatically.

headers + cookies + error scrubbing
Multi-Language

One API. Three languages. Identical behavior.

Write your backend in Node.js, Python, or Go. Arcis protects all three with the same API contract. Same test vectors, same output, same guarantees.

Express / Fastify / Koa / Hono
import { arcis } from '@arcis/node';
import express from 'express';

const app = express();
app.use(arcis()); // All 45+ protections active

app.get('/', (req, res) => {
  // req.query and req.body are already sanitized
  res.json({ message: 'Safe and sound.' });
});
FastAPI / Flask / Django
from fastapi import FastAPI
from arcis import ArcisMiddleware

app = FastAPI()
app.add_middleware(ArcisMiddleware) # All 45+ protections active

@app.get("/")
def root():
    # Input already sanitized and validated
    return {"message": "Safe and sound."}
Gin / Echo / net/http
package main

import (
    "github.com/gin-gonic/gin"
    arcisgin "github.com/GagancM/arcis/gin"
)

func main() {
    r := gin.Default()
    r.Use(arcisgin.Middleware()) // All 45+ protections active
    r.Run()
}
Protection

45+ security flaws. One package.

Covers OWASP Top 10 and beyond. From injection attacks to response hardening — if it can hurt your app, Arcis handles it.

XSS
Script injection, event handlers, javascript: URIs, SVG payloads
SQL Injection
Keywords, boolean logic, comments, time-based blind
NoSQL Injection
35 MongoDB operators: $gt, $where, $regex, $function
Command Injection
Shell metacharacters, subshells, redirections, newlines
Path Traversal
../ sequences, encoded variants, double-encoding, null bytes
SSRF
Private IPs, cloud metadata, decimal/octal/hex bypass
Prototype Pollution
7 keys blocked case-insensitively at object traversal
CSRF
Double-submit cookie, constant-time token comparison
SSTI
Jinja2, Twig, Freemarker, ERB, Pug, Python dunder chains
XXE
DOCTYPE, ENTITY, SYSTEM/PUBLIC references stripped
Rate Limiting
Fixed, sliding window, token bucket — memory or Redis
Security Headers
CSP, HSTS, X-Frame-Options, COOP, CORP, COEP — 15 total
Bot Detection
80+ patterns, 7 categories, behavioral fingerprinting
Open Redirect
Absolute URLs, javascript:, protocol-relative, backslash
Error Leakage
Stack traces, DB errors, internal IPs, connection strings
Header Injection
CRLF injection, response splitting, null bytes stripped
HTTP Parameter Pollution
Duplicate query/body params normalized, last-value-wins, per-param whitelist
CSRF Hardening
Per-request skipCsrf callback, __Host- cookie prefix enforcement
Unsafe Deserialization
Static analysis detects pickle.loads, eval, unsafe YAML in audit rules
SSRF via Code
Audit detects user-controlled URLs passed to fetch/requests/http.Get
Comparison

Arcis replaces your entire security stack

Capability Arcis Helmet DOMPurify express-rate-limit Arcjet Aikido Zen
XSS sanitization
SQL injection
Rate limiting
Security headers
CSRF protection
Bot detection
SSRF prevention
Supply chain scanner
Multi-language3 SDKsNode onlyBrowserNode only4 SDKsNode + Py
Zero dependencies
Open sourceFreemiumPaid
"We don't just flag what might be vulnerable.
We strip the danger before your code ever sees it."
Get Started

Secure your app in under a minute

Install Arcis. Add one line. Ship with confidence.

copied!
Node.js
npm install @arcis/node
copied!
Python
pip install arcis
copied!
Go
go get github.com/GagancM/arcis
Read the Docs View on GitHub
Get In Touch

Questions? Feedback? Integrations?

Community

Ask questions, share feedback, and get help from the community.

GitHub Discussions

Report a Bug

Found something wrong? Help us make Arcis more secure for everyone.

Open an Issue

Contact

Enterprise integrations, partnerships, or just want to say hello.

Reach Out