// GETTING STARTED

Documentation

GoGuard protects your API with 31 security checks — automatically, on every request. One line of code. Zero configuration. Works with Node.js, Python, and Go.

Prerequisites

A GoGuard API key — get one at dashboard.goguard.dev
Node.js 18+, Python 3.8+, or Go 1.21+

Set your API key as an environment variable

bash

export GOGUARD_API_KEY=sk_live_your_key_here

Node.js

@goguard/node

Install

bash

npm install @goguard/node

Express

javascript

const express = require('express')
const { goguard } = require('@goguard/node')

const app = express()
app.use(express.json())

// One line — every route is now protected
app.use(goguard({ apiKey: process.env.GOGUARD_API_KEY }))

app.post('/api/signup', (req, res) => {
  // GoGuard already blocked injection, disposable emails,
  // mass assignment, SSRF, and more before this runs.
  
  // Optional: use normalized email for duplicate checks
  const email = req.goguard?.email?.normalized ?? req.body.email
  res.json({ ok: true })
})

app.listen(3000)

Fastify

javascript

const { GoGuardClient } = require('@goguard/node')

const client = new GoGuardClient({ apiKey: process.env.GOGUARD_API_KEY })

app.addHook('preHandler', async (req, reply) => {
  const verdict = await client.decide({
    ip: req.ip,
    path: req.url,
    method: req.method,
    headers: req.headers,
  })
  if (verdict.action === 'block') reply.status(403).send({ blocked: true })
})

Next.js Middleware

typescript

// middleware.ts
import { GoGuardClient } from '@goguard/node'

const client = new GoGuardClient({ apiKey: process.env.GOGUARD_API_KEY! })

export async function middleware(request: Request) {
  const verdict = await client.decide({
    ip: request.headers.get('x-forwarded-for') || 'unknown',
    path: new URL(request.url).pathname,
    method: request.method,
    headers: Object.fromEntries(request.headers),
  })
  if (verdict.action === 'block')
    return new Response('Blocked', { status: 403 })
}

Python

goguard

Install

bash

pip install goguard

Flask

python

from flask import Flask
from goguard import GoGuard
import os

flask_app = Flask(__name__)
guard = GoGuard(api_key=os.environ["GOGUARD_API_KEY"])

@flask_app.post("/api/signup")
def signup():
    # GoGuard already blocked attacks before this runs
    return {"ok": True}

# One line — wrap your app
app = guard.protect(flask_app)
app.run(port=3000)

FastAPI

python

from fastapi import FastAPI
from goguard import GoGuard
import os

app = FastAPI()
guard = GoGuard(api_key=os.environ["GOGUARD_API_KEY"])

@app.post("/api/signup")
async def signup():
    return {"ok": True}

# Wrap the ASGI app
app = guard.protect(app)

Django

python

# wsgi.py
from goguard import GoGuard
import os

guard = GoGuard(api_key=os.environ["GOGUARD_API_KEY"])
application = guard.protect(application)

Go

github.com/goguard/sdk-go

Install

bash

go get github.com/goguard/sdk-go

net/http

package main

import (
    "net/http"
    "os"
    goguard "github.com/goguard/sdk-go"
)

func main() {
    mux := http.NewServeMux()
    
    mux.HandleFunc("/api/signup", func(w http.ResponseWriter, r *http.Request) {
        // GoGuard already blocked attacks before this runs
        
        // Optional: access enrichment data
        enrichment := goguard.GetEnrichment(r)
        if enrichment != nil && enrichment.Email != nil {
            normalizedEmail := enrichment.Email.Normalized
            _ = normalizedEmail
        }
        w.Write([]byte("ok"))
    })

    // One line — wrap your handler
    handler := goguard.Protect(mux, goguard.Config{
        APIKey: os.Getenv("GOGUARD_API_KEY"),
    })
    
    http.ListenAndServe(":3000", handler)
}

// 31 SECURITY CHECKS

What Gets Protected

All checks run automatically. No configuration needed. The developer writes zero security code.

Input Attacks

SQL injection

XSS (script, event handlers)

NoSQL injection

Command injection

Path traversal

Email Fraud

Disposable emails (10K+ domains)

Plus-tag tricks (+tag@gmail.com)

Dot tricks (v.i.c.t.i.m@gmail.com)

Multi-account detection

Phone Fraud

VoIP / virtual number detection

Suspicious country detection

Phone cycling / SIM farming

Cross-signal mismatch (IP country vs phone country)

Access Control

Mass assignment (role, is_admin in body)

IDOR sequential enumeration

IDOR access spikes

Broken auth detection (missing auth on sensitive paths)

Infrastructure

SSRF (private IPs, metadata endpoints, localhost)

Rate limiting (IP + fingerprint)

Velocity abuse detection

Device fingerprinting (IP-independent)

Credentials & Bots

Credential stuffing detection

Scraper / bot detection (ML behavioral)

Anomaly scoring per customer

Threat intelligence feeds

Response Safety

API key / secret leak detection

Password hash leak detection

PII leak detection (SSN, credit card)

Database URL leak detection

Configuration

Everything works out of the box. Customize only if you need to.

javascript

app.use(goguard({
  apiKey: process.env.GOGUARD_API_KEY,  // required
  mode: 'block',                         // 'block' | 'monitor' (default: 'block')
  excludePaths: ['/health', '/metrics'], // skip these paths
  
  // Toggle individual protections (all true by default)
  protect: {
    email: true,       // email fraud detection
    phone: true,       // phone fraud detection
    login: true,       // credential stuffing detection
    injection: true,   // SQL, XSS, NoSQL, command injection, path traversal
    leaks: true,       // response leak detection (keys, PII, passwords)
    ssrf: true,        // SSRF prevention
    auth: true,        // broken auth detection (monitor only, never blocks)
    idor: true,        // IDOR enumeration detection
    bac: true,         // broken access control / mass assignment
  },

  // Callbacks
  onBlock: (req, reason) => console.log('Blocked:', reason),
  onError: (err) => console.error('GoGuard error:', err.message),
}))

Fail-Open by Default

If GoGuard services are unreachable or timeout (default 1500ms), every request is automatically allowed through. Your app is never impacted by GoGuard downtime.

Enrichment Data

GoGuard attaches analysis data to every request. You don't need it, but it's there if you want it.

Node.js — req.goguard

javascript

app.post('/api/signup', (req, res) => {
  // Email enrichment
  const email = req.goguard?.email?.normalized     // "victim@gmail.com"
  const isDisposable = req.goguard?.email?.is_disposable  // false
  const riskScore = req.goguard?.email?.risk_score // 0.1

  // Phone enrichment
  const country = req.goguard?.phone?.country_name // "United States"
  const isVoip = req.goguard?.phone?.is_voip       // false
  const numberType = req.goguard?.phone?.number_type // "mobile"

  // Vulnerability detections (if any were found but not blocked)
  const vulns = req.goguard?.vulnerabilities       // VulnerabilityEvent[]
})

Python — environ / scope

python

@app.post("/api/signup")
def signup():
    enrichment = request.environ.get("goguard")  # WSGI
    # or: scope["state"]["goguard"]               # ASGI
    
    if enrichment and enrichment.get("email"):
        normalized = enrichment["email"]["normalized"]

Go — goguard.GetEnrichment(r)

func signupHandler(w http.ResponseWriter, r *http.Request) {
    enrichment := goguard.GetEnrichment(r)
    if enrichment != nil && enrichment.Email != nil {
        normalized := enrichment.Email.Normalized
        _ = normalized
    }
}

// PREMIUM FEATURE

Security Scanner

Static analysis for your source code. Finds hardcoded secrets, missing auth, data leaks, and insecure configs — before you push. Requires a GoGuard API key.

Run

bash

# Scans current directory
npx @goguard/scan

# Scan a specific folder
npx @goguard/scan ./src

# Provide API key explicitly
npx @goguard/scan --api-key sk_live_your_key

# JSON output for CI
npx @goguard/scan --json

# Fail CI if high severity or above
npx @goguard/scan --fail-on high

What It Checks

Check	Severity	Examples
Hardcoded secrets	Critical	AWS keys, Stripe keys, GitHub tokens, private keys
Committed .env files	Critical	.env, credentials.json, *.pem in repo
Missing .gitignore	Critical	No .gitignore or missing key entries
Missing auth middleware	Critical/High	/admin/, /api/settings/ without auth
SQL injection in code	High	String concatenation in SQL queries
Response data leaks	High	Returning password, secret, token fields
Insecure dependencies	High	Known CVEs via npm audit / pip audit
Supabase misconfig	Critical/High	Missing RLS, public storage, service role key
Firebase misconfig	Critical/High	allow read, write: if true in rules
Weak JWT secrets	High	Short or common secrets like "secret", "password"

How it works: The scanner reads your files as text — pure regex/pattern matching. It doesn't execute code, doesn't connect to databases, doesn't install anything. Results are sent to your GoGuard dashboard under Vulnerabilities.

GitHub Action

Run the scanner in CI on every push. Block deploys if critical vulnerabilities are found.

yaml

# .github/workflows/security.yml
name: GoGuard Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - uses: goguard/scan@v1
        with:
          api-key: ${{ secrets.GOGUARD_API_KEY }}
          fail-on: high

Ready to protect your API?

One line of code. 31 security checks. Zero friction.

Get API Key