Logo

Access Control Middleware

XyPriss provides advanced access control middleware to restrict API access based on client type. Two complementary modules allow you to create secure, client-specific endpoints by distinguishing between browser and terminal environments.

BrowserOnly

Blocks non-browser requests (cURL, Postman, scripts) while allowing legitimate browser access.

TerminalOnly

Blocks browser requests while allowing terminal/API tools with optional whitelisting.

BrowserOnly Configuration

Perfect for web applications that should only be accessed through browsers. It uses multiple detection methods including Sec-Fetch headers and browser engine signatures.

typescript
import { createServer } from "xypriss";

const app = createServer({
    security: {
        browserOnly: {
            enable: true, // Enable/disable the middleware
            debug: false, // Enable debug logging
            requireSecFetch: true, // Require Sec-Fetch headers
            blockAutomationTools: true, // Block curl/wget user agents
            requireComplexAccept: false, // Require complex Accept headers
            allowOriginRequests: true, // Allow CORS requests
            errorMessage: "Browser access required",
            statusCode: 403,
        },
    },
});

TerminalOnly Configuration

Ideal for API-only endpoints or development tools. It blocks browser access while allowing terminal tools like cURL, Postman, and other API clients.

typescript
const app = createServer({
    security: {
        terminalOnly: {
            enable: true, // Enable/disable the middleware
            debug: true, // Enable debug logging
            allowedTools: ["postman", "curl"], // Whitelist specific tools
            blockSecFetch: true, // Block requests with Sec-Fetch headers
            blockBrowserIndicators: true, // Block browser-specific headers
            errorMessage: "Terminal/API access required",
            statusCode: 403,
        },
    },
});

Whitelisting & Tools

When allowedTools is specified, only listed tools can access the endpoint. Supported tools include:

  • curl
  • wget
  • postman
  • insomnia
  • httpie
  • axios
  • fetch
  • got

Strictness Levels

Normal (Default)

Standard detection with 70% confidence threshold.

High

More aggressive detection with 50% confidence threshold.

Paranoid

Maximum security with 30% confidence threshold.

Mutual Exclusivity
You cannot enable both browserOnly and terminalOnly simultaneously. This will throw a configuration error during server initialization.

Performance & Metrics

Low Latency Detection

Access control detection runs in O(1) time with less than 1MB additional memory and typically adds less than 5ms of processing time per request.
Content Security Policy

Learn how to implement a robust CSP to prevent XSS and data injection attacks.