API Reference
Every exported function across all three SDKs. Function names differ by language convention (camelCase in Node.js, snake_case in Python, PascalCase in Go) but behavior is identical.
Middleware
arcis(config?)
The main middleware. Activates sanitization, rate limiting, and security headers.
| SDK | Usage |
|---|---|
| Node.js | app.use(arcis({ block: true, ...config })) |
| Python (FastAPI) | app.add_middleware(ArcisMiddleware, block=True, config=Config(...)) |
| Python (Flask) | Arcis(app, block=True, config=Config(...)) |
| Go (Gin) | r.Use(arcisgin.Middleware(arcis.Config{Block: true})) |
corsProtection(options)
Whitelist-based CORS enforcement. Opt-in.
csrfProtection(options)
Double-submit cookie CSRF with HMAC. Opt-in.
botProtection(options)
635-pattern bot detection with per-fingerprint rate limiting. Opt-in.
cookieSecurity(options)
Enforces HttpOnly, Secure, SameSite on all cookies. Opt-in.
Sanitizers
Framework-agnostic. Take strings, return sanitized strings.
| Function | What it does |
|---|---|
sanitizeString(input) | Applies all enabled sanitizers to a string. |
sanitizeObject(obj) | Recursively sanitizes an object, stripping dangerous keys. |
sanitizeXss(input) | Strip XSS patterns and HTML-encode. |
sanitizeSql(input) | Replace SQL patterns with [BLOCKED]. |
sanitizePath(input) | Strip path traversal patterns (with NFKC normalization). |
sanitizeCommand(input) | Strip shell metacharacters and control chars. |
sanitizeSsti(input) | Strip SSTI template syntax. |
sanitizeXxe(input) | Strip XXE DOCTYPE / ENTITY syntax. |
sanitizeJsonpCallback(input) | Validate and return safe callback identifiers only. |
sanitizeHeaderValue(input) | Strip CRLF, null bytes from header values. |
sanitizeLdap(input) | Escape LDAP filter special characters. |
sanitizeLdapDn(input) | Escape LDAP DN special characters. |
Detectors
Return true/false without modifying input. Useful for logging or custom handling.
| Function | Detects |
|---|---|
detectXss(input) | Script injection, event handlers, JS URIs. |
detectSql(input) | SQL keywords, boolean tautology, comments. |
detectSsti(input) | Template syntax. |
detectXxe(input) | XML entity declarations. |
detectPathTraversal(input) | ../ and encoded variants. |
detectCommandInjection(input) | Shell metacharacters, subshells. |
detectHeaderInjection(input) | CRLF injection patterns. |
detectLdapInjection(input) | LDAP filter injection. |
detectNoSqlInjection(obj) | Dangerous MongoDB operators in object. |
detectPrototypePollution(obj) | Prototype-polluting keys in object. |
Context-Aware Encoders
Use when rendering user content in different output contexts.
import {
encodeForHtml, // HTML body: &, <, >, ", '
encodeForAttribute, // HTML attributes: all non-alphanumeric as &#xHH;
encodeForJs, // JS string: \xHH / \uHHHH
encodeForUrl, // URL param: encodeURIComponent + extra chars
encodeForCss, // CSS value: \HH with trailing space
} from '@arcis/node';Validators
validateUrl(url, options?)
SSRF-safe URL validation. Blocks private IPs, loopback, cloud metadata, IP-encoding bypasses.
validateUrl('http://169.254.169.254/')
// { safe: false, reason: 'link-local address (169.254.0.0/16)' }
validateUrl('https://api.example.com/')
// { safe: true }validateRedirect(url, allowlist)
Open redirect prevention. Only allows paths or whitelisted hosts.
validateEmail(email)
Email validation with disposable blocklist, typo suggestions, optional MX check.
PII Detection
scanPii(input)
Returns an array of PII matches found (email, phone, SSN, credit card).
redactPii(input)
Returns the input with detected PII redacted (e.g., ****-****-1234).
Rate Limit Stores
MemoryStore
Default in-memory store. Fine for single-instance deployments.
RedisStore({ client })
For multi-instance / distributed rate limiting. Pass a redis client instance.
Logging
createSafeLogger(logger)
Wraps any logger to auto-redact PII and secrets from log entries.