Security Architecture

XyPriss is built with a "Security-First" philosophy, integrating enterprise-grade protection directly into the core engine. Unlike traditional frameworks that rely on third-party middleware, XyPriss utilizes its native XHSC Bridge to perform security validations at the binary level.

Enterprise Protection

Security Pipeline

Request FlowInbound Data

XHSC BridgeBinary Validation

Security LayersCSP / CORS / Signatures

Response MaskingSensitive Data Shield

Performance

O(1) matching with minimal CPU overhead.

Integrity

Cryptographic assurance for all data.

Comprehensive Protection Layers

The XyPriss security stack is composed of several specialized layers designed to neutralize threats before they reach your application logic.

Inbound Protection

Request signatures, advanced rate limiting, and route-based security rules (XSS, SQLi, Path Traversal).

Outbound Safety

Dynamic response manipulation to mask sensitive fields like tokens and internal errors before they leave the server.

Environment Shield

Strict isolation of environment variables and system file access to prevent accidental secret leakage.

Content Security

Flexible CSP configuration with nonce support and wildcard CORS pattern matching for complex domains.

Quick Start

Configure the security modules in your server options. XyPriss supports three security levels to quickly set up your defensive posture.

typescript

import { createServer } from "xypriss";

const app = createServer({
  /**
   * Advanced request lifecycle and traffic management.
   *
   * Includes:
   * - Route-specific timeouts
   * - Network quality detection
   * - Request concurrency protection
   * - Retry and circuit breaker resilience
   * - Payload size limitations
   */
  requestManagement: {
    timeout: {
      enabled: true,

      // Default timeout for all incoming requests
      defaultTimeout: 30000,

      // Route-level timeout overrides
      routes: {
        "/api/upload": 300000,
        "/api/export": 120000,
        "/api/health": 3000,
      },

      staticTimeout: 10000,

      errorMessage: "Request timeout exceeded",
    },

    /**
     * Reject requests from unstable or extremely slow connections.
     */
    networkQuality: {
      enabled: true,

      rejectOnPoorConnection: true,

      // Minimum required bandwidth (1KB/s)
      minBandwidth: 1024,

      // Maximum acceptable latency
      maxLatency: 2000,
    },

    /**
     * Protect the server against request floods
     * and excessive concurrent workloads.
     */
    concurrency: {
      maxConcurrentRequests: 1000,

      maxPerIP: 50,

      queueTimeout: 10000,

      maxQueueSize: 5000,

      /**
       * Prioritize critical routes under heavy load.
       */
      priorityQueue: {
        enabled: true,

        priorities: {
          "/api/auth": 1,
          "/api/payment": 2,
          "/api/upload": 5,
        },
      },
    },

    /**
     * Track request execution stages and slow operations.
     */
    lifecycle: {
      enabled: true,

      trackStartTime: true,

      trackStages: true,

      // Emit warnings for long-running requests
      warnAfter: 5000,
    },

    /**
     * Built-in retry logic and circuit breaker protection.
     */
    resilience: {
      retryEnabled: true,

      maxRetries: 3,

      retryDelay: 1000,

      circuitBreaker: {
        enabled: true,

        failureThreshold: 10,

        resetTimeout: 30000,

        monitoringPeriod: 60000,
      },
    },

    /**
     * Request payload limitations and validation.
     */
    payload: {
      // 10MB request body limit
      maxBodySize: 10 * 1024 * 1024,

      maxUrlLength: 2048,

      maxFields: 100,
    },
  },

  /**
   * Automatically sanitize outgoing JSON responses
   * before they are sent to clients.
   */
  responseManipulation: {
    enabled: true,

    rules: [
      /**
       * Completely hide password fields.
       */
      {
        field: "password",
        replacement: "[MASKED]",
      },

      /**
       * Preserve only the first 4 characters
       * of sensitive API keys.
       */
      {
        field: "apiKey",
        preserve: 4,
        replacement: "****",
      },

      /**
       * Replace credit card patterns globally.
       */
      {
        valuePattern: /d{4}-d{4}-d{4}-d{4}/g,
        replacement: "[REDACTED_CARD]",
      },

      /**
       * Remove deeply nested secret tokens.
       */
      {
        field: "user.secretToken",
        replacement: null,
      },
    ],

    maxDepth: 15,
  },

  security: {
    /**
     * XyRS request signature validation.
     *
     * Every request must provide a valid
     * XP-Request-Sig header matching the configured secret.
     */
    requestSignature: {
      secret: __sys__.__env__.getStrict("API_SECRET"),

      headerName: "XP-Request-Sig",

      errorMessage: "Invalid request signature",

      statusCode: 401,

      caseSensitive: false,

      trimValue: true,

      debug: false,

      maxHeaderLength: 256,

      maxFailedAttempts: 10,

      // Temporary block duration (10 minutes)
      blockDuration: 1000 * 60 * 10,

      timingSafeComparison: true,

      rejectSuspiciousPatterns: true,
    },
  },
});

Binary-Level Validation

XyPriss performs most security checks within the native XHSC bridge using optimized Go-based Regex engines. This ensures high-performance protection even under extreme load without blocking the Node.js event loop.

General Security Guide

Learn how to configure security levels and built-in protection modules.