Open Source Security

Protect Your Application

Rate limiting, bot detection, and attack protection that runs entirely on your infrastructure. No vendor lock-in.

Self-Hosted Real-time TypeScript MIT License

Operational Shield in Seconds

Add enterprise-grade protection to any endpoint with zero configuration

app.ts 
import { guardrailExpress } from "@guardrail-dev/core/express"

// One line = Full protection (rate limiting, bot detection, attack prevention)
app.use("/api", guardrailExpress.api())

// Or use decorators for fine-grained control (NestJS)
@Controller("api")
class ApiController {
  @Post("users")
  @Shield() // Blocks SQL injection, XSS, command injection
  @Limit({ max: 100, interval: "1h" })
  async createUser(@Body() data: UserDto) {
    return userService.create(data)
  }
}

Powerful Features

Everything you need with code examples

Rate Limiting

Token bucket and sliding window algorithms. Limit by IP, user, or custom identifiers. Perfect for API protection and AI quota control.

  • Sliding window for simple limits
  • Token bucket for burst handling
  • Per-user or per-IP tracking
Rate Limiting
window({
  interval: "10m",
  max: 100,
})

bucket({
  capacity: 5000,
  refillRate: 2000,
  interval: "1h",
})

Bot Detection

Identify and block automated traffic while allowing legitimate crawlers. Over 50 known bots detected out of the box.

  • Allow specific crawlers
  • Block scraping attempts
  • Customizable detection
Bot Detection
bot({
  allow: [
    "Googlebot",
    "Bingbot",
    "Slackbot",
  ],
})

Attack Protection

Shield against SQL injection, XSS, command injection, and path traversal. Pattern matching with zero false positives.

  • SQL injection blocking
  • XSS prevention
  • Command injection detection
Shield
// Full protection
shield()

// Or in dry-run mode
shield({
  mode: "DRY_RUN"
})

IP Intelligence

Geo-location and network detection built-in. Block or allow based on country, detect VPN and proxy usage.

  • Country, region, city detection
  • VPN and proxy identification
  • Hosting provider detection
Filter Rules
filter({
  deny: [
    'ip.src.country ne "US"',
    "ip.src.vpn == true",
    "ip.src.hosting == true",
  ],
})

Everything You Need

Complete security toolkit with zero external dependencies

Rate Limiting

Token bucket and sliding window algorithms. Limit by IP, user, or custom identifiers.

Bot Detection

Identify and block automated traffic while allowing legitimate crawlers.

IP Intelligence

Country, region, city detection with VPN and proxy identification.

Email Validation

Block disposable, free, and invalid email addresses automatically.

Attack Protection

Shield against SQL injection, XSS, and command injection attacks.

Circuit Breaker

Resilient storage operations with automatic failure recovery.

Works With Your Stack

First-class support for popular Node.js frameworks

Next.js
App Router & Pages
Nest.js
Guards & Interceptors
Express
Middleware
Fastify
Plugins
Koa
Middleware

Start Protecting Your App

Add security to your application in minutes. No account required.

Read Documentation View on GitHub