Zero-dependency security middleware for Python. Protects against XSS, SQL injection, CSRF, SSRF, HPP, rate limiting, bot detection, and 15+ more attack types. Works with Flask, FastAPI, and Django.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Gagan_cm from gravatar.com Gagan_cm

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Gagan CM
  • Tags security , xss , sql-injection , nosql-injection , rate-limiting , flask , fastapi , django , ssrf , open-redirect , cors , sanitize , middleware , web-security , input-validation , command-injection , path-traversal
  • Requires: Python >=3.9
  • Provides-Extra: flask , fastapi , django , redis , telemetry , dev
Classifiers
Report project as malware

Project description

Arcis Python

PyPI version License: MIT CI Python 3.9+

One-line security for Python web applications.

Arcis is a cross-platform security library that provides drop-in protection against common web vulnerabilities. Part of the Arcis ecosystem with implementations for Node.js, Python, and Go.

Installation

# Core library (no dependencies)
pip install arcis

# With framework integrations
pip install arcis[flask]
pip install arcis[fastapi]
pip install arcis[django]

# All frameworks + dev tools
pip install arcis[dev]

Quick Start

Flask

from flask import Flask
from arcis import Arcis

app = Flask(__name__)
Arcis(app)  # That's it! Your app is now protected.

@app.route('/')
def hello():
    return 'Hello, World!'

FastAPI

from fastapi import FastAPI
from arcis.fastapi import ArcisMiddleware

app = FastAPI()
app.add_middleware(ArcisMiddleware)

@app.get('/')
async def hello():
    return {'message': 'Hello, World!'}

Django

# settings.py
MIDDLEWARE = [
    'arcis.django.ArcisMiddleware',
    # ... other middleware
]

# Optional configuration
ARCIS_CONFIG = {
    'rate_limit_max': 100,
    'rate_limit_window_ms': 60000,
    'sanitize_xss': True,
    'sanitize_sql': True,
}

Features

Input Sanitization

Automatically sanitize user input to prevent:

  • XSS (Cross-Site Scripting)
  • SQL Injection
  • NoSQL Injection (MongoDB operators)
  • Path Traversal (../ attacks)
  • Prototype Pollution (__proto__, constructor)
  • HTTP Header Injection (CRLF, response splitting)
  • SSRF (private IPs, cloud metadata, dangerous protocols)
  • Open Redirect (absolute URLs, javascript:, protocol-relative)
from arcis import sanitize_string, sanitize_dict

# Sanitize a string
clean = sanitize_string("<script>alert('xss')</script>")
# Result: "&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;"

# Sanitize a dictionary (including nested objects)
data = {"name": "<script>xss</script>", "$gt": ""}
clean = sanitize_dict(data)
# Result: {"name": "&lt;script&gt;..."}  ($gt key removed)

Rate Limiting

Protect against brute force and DDoS attacks with fixed window, sliding window, or token bucket:

from arcis import RateLimiter
from arcis.middleware import SlidingWindowLimiter, TokenBucketLimiter

# Fixed window
limiter = RateLimiter(max_requests=100, window_ms=60000)

# Sliding window — smoother rate enforcement
sliding = SlidingWindowLimiter(max_requests=100, window_ms=60000)

# Token bucket — burst-friendly
bucket = TokenBucketLimiter(capacity=100, refill_rate=10)  # 10 tokens/sec

Bot Detection

Detect and categorize bots with 80+ patterns across 7 categories:

from arcis.middleware import BotDetector

detector = BotDetector()
result = detector.detect(user_agent, request_headers)
# result.is_bot, result.category, result.confidence

CSRF Protection

Double-submit cookie pattern with token generation and validation:

from arcis.middleware import CsrfProtection

csrf = CsrfProtection(secret="your-secret-key")

Security Headers

Automatically add security headers to all responses:

  • Content-Security-Policy
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Strict-Transport-Security
  • X-XSS-Protection: 0

Input Validation

from arcis import Validator, validate_email, validate_url

# Quick validation
if validate_email(user_input):
    print("Valid email!")

# Full validator
assert Validator.email("test@example.com")  # True
assert Validator.url("https://example.com")  # True
assert Validator.uuid("550e8400-e29b-41d4-a716-446655440000")  # True
assert Validator.length("hello", min_len=3, max_len=10)  # True

Safe Logging

Log safely without exposing secrets:

from arcis import SafeLogger

logger = SafeLogger()

# Automatically redacts sensitive fields
logger.info("User login", {"email": "user@test.com", "password": "secret"})
# Output: {"email": "user@test.com", "password": "[REDACTED]"}

# Prevents log injection (removes newlines/control characters)
logger.info("User: attacker\nAdmin: true")  # Newlines stripped

Configuration

All frameworks support the same configuration options:

# Flask
Arcis(
    app,
    sanitize=True,
    sanitize_xss=True,
    sanitize_sql=True,
    sanitize_nosql=True,
    sanitize_path=True,
    rate_limit=True,
    rate_limit_max=100,
    rate_limit_window_ms=60000,
    headers=True,
    csp="default-src 'self'",
)

# FastAPI
app.add_middleware(
    ArcisMiddleware,
    rate_limit_max=50,
    sanitize_sql=False,
)

# Django (settings.py)
ARCIS_CONFIG = {
    'rate_limit_max': 50,
    'sanitize_sql': False,
}

Standalone Middleware (Django)

Use individual components if you only need specific protection:

MIDDLEWARE = [
    'arcis.django.ArcisSanitizeMiddleware',   # Only sanitization
    'arcis.django.ArcisRateLimitMiddleware',  # Only rate limiting
    'arcis.django.ArcisHeadersMiddleware',    # Only security headers
]

Testing

# Install dev dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/ -v

# With coverage
pytest tests/ --cov=arcis --cov-report=html

API Reference

Core Classes

Class Description
Arcis Main class - configures all protections
Sanitizer Input sanitization
RateLimiter Fixed window rate limiting
SlidingWindowLimiter Sliding window rate limiting
TokenBucketLimiter Token bucket rate limiting
BotDetector Bot detection with 80+ patterns
CsrfProtection CSRF double-submit cookie protection
SecurityHeaders Security headers
Validator Input validation
SafeLogger Safe logging with redaction

Exceptions

Exception Description
RateLimitExceeded Raised when rate limit is exceeded
ValidationError Raised when validation fails

Convenience Functions

Function Description
sanitize_string(value) Sanitize a single string
sanitize_dict(data) Sanitize a dictionary
sanitize_xss(value) XSS sanitization only
sanitize_sql(value) SQL injection sanitization only
sanitize_nosql(data) NoSQL injection sanitization only
sanitize_path(value) Path traversal sanitization only
validate_email(value) Email validation with disposable blocklist, typo suggestions, MX verify
validate_url(value) Validate URL format
validate_url_ssrf(value) URL validation with SSRF protection
validate_redirect(value) Open redirect prevention
validate_uuid(value) Validate UUID format

Utilities

Function Description
parse_duration(value) Parse duration strings ("5m", "1h") to milliseconds
get_client_ip(request) Platform-aware IP detection (proxy headers, etc.)
fingerprint_request(request) Generate request fingerprint for tracking

License

MIT License - see LICENSE file for details.

Contributing

  1. Fork the repo and create your branch from nwl (the active development branch)
  2. All PRs target nwlmain is release-only
  3. All changes must pass existing tests
  4. New features require test cases aligned with spec/TEST_VECTORS.json

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Gagan_cm from gravatar.com Gagan_cm

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: Gagan CM
  • Tags security , xss , sql-injection , nosql-injection , rate-limiting , flask , fastapi , django , ssrf , open-redirect , cors , sanitize , middleware , web-security , input-validation , command-injection , path-traversal
  • Requires: Python >=3.9
  • Provides-Extra: flask , fastapi , django , redis , telemetry , dev
Classifiers

Release history Release notifications | RSS feed

1.5.5

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.4

This version

1.4.3

1.4.2

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

arcis-1.4.3.tar.gz (98.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

arcis-1.4.3-py3-none-any.whl (111.9 kB view details)

Uploaded Python 3

File details

Details for the file arcis-1.4.3.tar.gz.

File metadata

  • Download URL: arcis-1.4.3.tar.gz
  • Upload date:
  • Size: 98.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for arcis-1.4.3.tar.gz
Algorithm Hash digest
SHA256 cdeb8bcd86e814a1ef375e2e9a20d475188e4c96ba8554da8500f5b7d58fddf5
MD5 15c03df3bf98b2da010bc7ae122c3708
BLAKE2b-256 ab2ee9cb301eb587283631be55326059aaff00a06ff7dbbd371e4bbe5a69fa87

See more details on using hashes here.

File details

Details for the file arcis-1.4.3-py3-none-any.whl.

File metadata

  • Download URL: arcis-1.4.3-py3-none-any.whl
  • Upload date:
  • Size: 111.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for arcis-1.4.3-py3-none-any.whl
Algorithm Hash digest
SHA256 7c0bd82eeb38f0c8b223c33822174a3922be02794d0516a5c5752bf552bd4d80
MD5 38c0207e52caf5a78b70ec7b95da7155
BLAKE2b-256 7a558f3a1c44636497b1b8d6c6256b6be7ace6e7bfa1f6371eefc8144cac17ce

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page