v1.6.3. ArcisGuard for NestJS, bruteForceProtection, pack-and-attack CI across 7 example repos

Inside-the-app security middleware. One install. Three languages. Security middleware that just works

Arcis blocks XSS, SQL injection, SSRF, CSRF, prompt injection, bot traffic, and 20+ more attack types before your handler runs. Nineteen framework adapters across Node, Python, and Go. Fully open-source. No cloud dependency. No closed binaries. No agent.

Get Started View on GitHub

app.js

            import { arcis } from '@arcis/node';

            // That's it. 20+ attack vectors handled.

            app.use(arcis());

Why Now

AI writes code faster than security can keep up

More people are building software than ever. Most of them without a security background. Copilot and Cursor generate functional code in seconds, but they don't reason about threat models. Apps are shipping to production with zero security layer.

80%

of new apps ship without CSRF, rate limiting, or input sanitization

8-12

separate libraries needed to properly secure a web app today

line of Arcis replaces all of them with zero configuration

The Problem

8 libraries or 1 line of code?

Without Arcis

Eight to twelve separate packages, one per concern: headers, sanitization, CSRF, rate limits, CORS, parameter pollution, validation, cookies.
Eight APIs. Eight configs. Eight release cycles.
Days of research and integration.

➔

With Arcis

One package, one line: app.use(arcis({ block: true }))
20+ attack vectors covered instantly.
Lean dependencies. Zero configuration.

See the full side-by-side comparison with other tools below ↓

Architecture

How Arcis protects every request

Every incoming request passes through a six-stage security pipeline before reaching your application logic. Every outgoing response is hardened before reaching the client.

Rate Limiting

Per-IP flood protection. Fixed window, sliding window, or token bucket. In-memory or Redis-backed.

429 Too Many Requests

Bot Detection

695 patterns across 7 categories: search engines, social, monitoring, AI crawlers, scrapers, automated tools, and behavioral fingerprinting on missing browser headers.

403 Forbidden

Input Sanitization

Strip XSS, SQL injection, NoSQL, command injection, path traversal, SSTI, XXE, JSONP, header injection, prototype pollution.

10 attack vectors neutralized

CSRF Verification

Double-submit cookie pattern with constant-time token comparison. Prevents timing side-channel attacks.

403 CSRF Token Invalid

Your Code Runs

Clean, validated, sanitized input. Your application logic never sees raw attack payloads. Only safe data reaches your handlers.

200 OK. safe and sound

Response Hardening

16 security headers, secure cookies (HttpOnly, Secure, SameSite), CORS enforcement, error scrubbing. all applied automatically.

headers + cookies + error scrubbing

Multi-Language

One API. Three languages. Identical behavior.

Write your backend in Node.js, Python, or Go. Arcis protects all three with the same API contract. Same test vectors, same output, same guarantees.

Express / Fastify / Koa / Hono

              import { arcis } from '@arcis/node';

              import express from 'express';

              const app = express();

              app.use(arcis()); // All core protections active. Add CSRF, CORS, bot detection as needed.

              app.get('/', (req, res) => {

                // req.query and req.body are already sanitized

                res.json({ message: 'Safe and sound.' });

              });

FastAPI / Flask / Django

              from fastapi import FastAPI

              from arcis import ArcisMiddleware

              app = FastAPI()

              app.add_middleware(ArcisMiddleware) # All core protections active. Add CSRF, CORS, bot detection as needed.

              @app.get("/")

              def root():

                  # Input already sanitized and validated

                  return {"message": "Safe and sound."}

Gin / Echo / net/http

              package main

              import (

                  "github.com/gin-gonic/gin"

                  arcisgin "github.com/GagancM/arcis/gin"

              )

              func main() {

                  r := gin.Default()

                  r.Use(arcisgin.Middleware()) // All core protections active. Add CSRF, CORS, bot detection as needed.

                  r.Run()

              }

Protection

20+ attack vectors. One package.

Covers OWASP Top 10 and beyond. From injection attacks to response hardening. if it can hurt your app, Arcis handles it.

XSS

Script injection, event handlers, javascript: URIs, SVG payloads

SQL Injection

Strips known SQL patterns from input as defense-in-depth. Not a replacement for parameterized queries: use both.

NoSQL Injection

35 MongoDB operators: $gt, $where, $regex, $function

Command Injection

Shell metacharacters, subshells, redirections, newlines

Path Traversal

../ sequences, encoded variants, double-encoding, null bytes

SSRF

Private IPs, cloud metadata, decimal/octal/hex bypass

Prototype Pollution

7 keys blocked case-insensitively at object traversal

CSRF

Double-submit cookie, constant-time token comparison

SSTI

Jinja2, Twig, Freemarker, ERB, Pug, Python dunder chains

XXE

DOCTYPE, ENTITY, SYSTEM/PUBLIC references stripped

Rate Limiting

Application-level: fixed, sliding window, token bucket, memory or Redis. Complements proxy/CDN-level limiting, not a replacement.

Security Headers

CSP, HSTS, X-Frame-Options, COOP, CORP, COEP. 16 total

Bot Detection

695 patterns, 7 categories, behavioral fingerprinting

Open Redirect

Absolute URLs, javascript:, protocol-relative, backslash

Error Leakage

Stack traces, DB errors, internal IPs, connection strings

Header Injection

CRLF injection, response splitting, null bytes stripped

Comparison

Arcis replaces your entire security stack

Capability	Arcis	Helmet	DOMPurify	express-rate-limit	Arcjet	Aikido Zen
XSS sanitization	✓	✕	✓	✕	✕	✓
SQL injection	✓	✕	✕	✕	✕	✓
Rate limiting	✓	✕	✕	✓	✓	✓
Security headers	✓	✓	✕	✕	✓	✕
CSRF protection	✓	✕	✕	✕	✕	✓
Bot detection	✓	✕	✕	✕	✓	✓
SSRF prevention	✓	✕	✕	✕	✕	✓
Supply chain scanner	✓	✕	✕	✕	✕	✕
Multi-language	3 SDKs	Node only	Browser	Node only	Node + Py	Node + Py
Lean core dependencies	✓	✓	✕	✕	✕	✕
Open source	✓	✓	✓	✓	Freemium	Paid

Want the deep-dive comparison? Read vs Arcjet, vs Aikido Zen, vs Snyk, vs Cloudflare WAF, or vs CAPTCHAs.

Built For

Who uses Arcis

Solo developers

You're shipping fast, using Copilot or Cursor, and you don't have time to wire up 8 security libraries. Arcis handles the baseline so you can focus on the product.

Small teams

No dedicated security engineer. One install covers what would otherwise take weeks of research and configuration. Defaults are secure out of the box.

Established companies

Adding Arcis to an existing project takes one line. No refactoring, no breaking changes. Runs alongside whatever security you already have.

Active Development

Recently shipped

Arcis is actively maintained and hardened continuously. Every release closes real bypass vectors found during security audits.

v1.6.3 ArcisGuard for NestJS (proper deny on detect via CanActivate). bruteForceProtection middleware. Six new prompt-injection signatures. osv::query_batch for the Rust CLI. Pack-and-attack CI gate across seven example repos. THIRDPARTY-LICENSES.md with attribution for every adopted upstream.

v1.6.2 Go SDK reaches three-way parity on v1.6 detection (V32 toolcall, V33 deserialization markers, V34 GraphQL alias / fragment cycle, CorrelationWindow, mutation tester). Q8 LDAP NOT-bypass + Q10 mail-header bare-newline patterns. FastAPI create_login_protection_dependency factory.

v1.6.1 @arcis/node exports map fix for 9 framework-adapter subpath types. First publish of @arcis/mcp. Honest-claims sweep across README + 8 adapter docstrings.

v1.6.0 Interactive REPL. Welcome screen V2. Tier 1 detection hardening (NFKC + multi-decode + mutation tester). New vectors V32 toolcall injection, V33 deserialization markers, V34 GraphQL alias bomb + fragment cycle. First stateful primitive: CorrelationWindow per-IP rolling window.

View full changelog

"Most apps ship with zero security layer.
Arcis exists so yours doesn't have to." "We don't just flag what might be vulnerable.
We strip the danger before your code ever sees it."

Get Started

Secure your app in under a minute

Install Arcis. Add one line. Ship with confidence.

copied!

Node.js

npm install @arcis/node

copied!

Python

pip install arcis

copied!

go get github.com/GagancM/arcis

Read the Docs View on GitHub

Plus CLI tools for your dev workflow (single static binary. npm install -g @arcis/cli):

arcis sca supply chain scanner arcis scan vulnerability scanner arcis audit static analysis

Three rules to follow when wiring it up:

Backend only

Install in your server project. Never in a frontend bundle. the API key would leak to the browser and the middleware never runs there.

.env location

Put ARCIS_KEY in the backend .env. No NEXT_PUBLIC_ / VITE_ / REACT_APP_ prefix. those expose values to the browser.

CLI is its own package

audit / scan / sca ship as a single static binary. Run npm install -g @arcis/cli alongside your SDK to get them on your shell.

Get In Touch

Built by one developer. Open to everyone.

Arcis is maintained by Gagan CM. If you're using it, found a bug, want to contribute, or want to chat about security or integrations, reach out.

Ask a question

Feature requests, usage questions, or just curious how something works under the hood.

GitHub Discussions

Report a vulnerability

Found a bypass, false positive, or something that should be blocked but isn't? That's exactly what I want to hear about.

Open an Issue

Connect directly

Using Arcis in production? Want to partner, collaborate, or just chat about web security?