Honeypot Tarpit
The Honeypot Tarpit is a built-in security layer designed to instantly neutralize connections from malicious botnets, reconnaissance scanners, and automated exploit frameworks. It operates at the earliest phase of the request handling lifecycle to save CPU cycles.
Enable / Disable
By default, the Honeypot Tarpit is enabled. You can explicitly disable it in your server configuration if you need to capture malicious requests in your application layer.
import { createServer } from "xypriss";
const app = createServer({
security: {
honeypotTarpit: false, // Set to false to disable the tarpit
},
});The 6-Stage Pipeline
The Tarpit applies a zero-false-positive strategy using a deterministic pipeline before any expensive routing or session management occurs:
Input Sanitization
URI Normalization
../).Exact Trap Match
/.env, /.git, or /.aws/credentials.Directory Prefix Match
/.ssh/) are blocked.Extension Watcher
.tfstate, .pem, or .DS_Store.Isolated Path Segment Checks
wp-admin, phpmyadmin, or heapdump.Why 403 Forbidden?
XyPriss uses a lightweight 403 Forbidden response instead of tearing down the TCP socket. This avoids penalizing legitimate requests that might be multiplexed over the same Keep-Alive connection in reverse proxy or XHSC bridge environments.
Performance Neutralization
Drop malicious probes with minimal overhead. No HTTP body or framework-level headers are appended to the response, ensuring maximum efficiency.Set of known malicious paths, ensuring that legitimate traffic is never delayed by complex pattern matching.Cleanse and protect sensitive data in outgoing responses before they reach the client.