arcis

Hello world. Open-sourced Arcis. Security middleware that runs inside your web app instead of in front of it. For developers tired of WAFs that block `' OR 1=1` and miss everything else. Node, Python, Go. github.com/Gagancm/arcis

Your XSS filter blocks <script>. Does it block the same six characters in fullwidth form? Most pre-2023 detectors do not. arcis-website.pages.dev/blog/posts/uni…

Agent security has four layers: identity, pre-deploy testing, observability, defense. Only the defense layer can refuse a request in flight. The other three are advisory by structure. arcis-website.pages.dev/blog/posts/def…

The WAF and the application see the same HTTP request differently. The attacker only needs to live in the seam. arcis-website.pages.dev/blog/posts/why…

@hthieblot Refuse

pitch me your company in 1 word.

@ItsWillHenry Arcis. Open-source security middleware for Node, Python, and Go web apps. One line of code, 30+ attack vectors handled inside the app. github.com/Gagancm/arcis

If you are a solo founder, reply here and tell me what you are building.

If you want the full thesis behind Arcis - what it is, what it does NOT do, and the inside-the-app argument, the launch post is the cleanest place to start. 5-minute read. arcis-website.pages.dev/blog/posts/int…

The fix for fullwidth XSS bypasses is three lines per language: JS: input.normalize Python: unicodedata.normalize Go: norm.NFKC.String Catches: fullwidth, ligatures, math letterlikes. Skip it and your sanitizer has a permanent backdoor.

2026 reality: every app is now three apps. A request app. A model app. A tool app. The WAF protects the request app. Nothing protects the other two. That's the gap Arcis is in.

Arcis conformance status: 154/154 tests pass across Node + Python + Go Same input → same verdict in all three SDKs Drift = failed CI = no release Cross-SDK parity is the only metric that matters once a tool ships in multiple languages.

What one `app.use(arcis())` line replaces in a typical Express app: helmet express-rate-limit csurf sanitize-html hpp express-mongo-sanitize Five fewer libraries to keep updated. #Cyber_Security #security

The full Arcis install: npm install @arcis/node Two lines. Thirty attack vectors at the request boundary. OWASP Top 10 plus prompt injection, MCP toolcall, deserialization, and 20 more. github.com/Gagancm/arcis #cybersecurity #security #appsec #devtools #opensource

@xARx_00 @X you might vibe with this, your SOC tells you the attack happened, Arcis just... doesn't let it. inline middleware, node/py/go. would love any feedback or advice tbh. github.com/Gagancm/arcis

Hey @X Looking to #connect with people building in: Cybersecurity Blue Team / SOC AI/ML DevOps Cloud Backend Open Source Indie SaaS Building in public Drop what you’re working on, let’s grow together

Everyone asks if a self hosted SOC holds up under real attacks. Brute force, SQLi, credential stuffing, back to back. Detected, correlated, MITRE mapped and triaged in seconds. Would you trust this to wake you up at 3am? #web3 #developers #Security #hacking #blueteam

@overgeared2608 yep, in-app is intentional. per-route is opt-in set defaults globally, override only what needs it. resolved at registration, so no per-request cost.

@getarcis wait, in-app instead of a reverse proxy? curious how you handle the per-route config overhead...

Arcis ships first-party adapters for: Express  Fastify  Hono  Next.js  Koa FastAPI  Django  Litestar  Flask Gin  Echo  Chi  Fiber  net/http One config object. Same defense across all of them. github.com/Gagancm/arcis