DEV Community: Maksat Ramazan The latest articles on DEV Community by Maksat Ramazan (@makennsky). https://dev.to/makennsky https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2170029%2F0ba8bb5f-8036-467e-b98c-9f0bfa91d92d.jpg DEV Community: Maksat Ramazan https://dev.to/makennsky en How a “Kind of Working” Payment Gateway Made Me Write This Circuit Breaker Maksat Ramazan Tue, 31 Mar 2026 11:58:11 +0000 https://dev.to/makennsky/how-a-kind-of-working-payment-gateway-made-me-write-this-circuit-breaker-3fd2 https://dev.to/makennsky/how-a-kind-of-working-payment-gateway-made-me-write-this-circuit-breaker-3fd2 <h1> I got bored and wrote a circuit breaker </h1> <p>A few years ago I was working at a fintech company. We had an integration with a payment gateway. Critical one — money literally depended on it.</p> <p>One day it started behaving weird.</p> <p>Not down. Not healthy. Just <strong>slow enough to destroy everything</strong>.</p> <p>Requests were hanging. Threads piling up. Retries amplifying the problem. Other services started lagging. The gateway was still <em>responding</em> — just slowly enough to kill us.</p> <p>We needed a circuit breaker. We didn't have one. So we hacked something together in production. Ugly, tightly coupled, impossible to test.</p> <p>Fast forward to now — I built the circuit breaker I wish we had back then.</p> <h2> Show me the code </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">breaker</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">circuitbreaker</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"stripe"</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithConsecutiveFailures</span><span class="p">(</span><span class="m">5</span><span class="p">),</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithOpenTimeout</span><span class="p">(</span><span class="m">30</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">),</span> <span class="p">)</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">breaker</span><span class="o">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="k">func</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">stripeClient</span><span class="o">.</span><span class="n">Charge</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="p">})</span> <span class="k">if</span> <span class="n">errors</span><span class="o">.</span><span class="n">Is</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">ErrCircuitOpen</span><span class="p">)</span> <span class="p">{</span> <span class="c">// fallback or fail fast</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Wrap any unreliable call — payment gateways, external APIs, legacy services, that one dependency that "kinda works".</p> <h2> Why not just use timeouts? </h2> <p>Timeouts protect your goroutine.<br> Circuit breakers protect your system.</p> <p>When a dependency becomes slow:</p> <ul> <li>retries multiply the load</li> <li>queues grow</li> <li>latency spreads</li> <li>healthy parts fail because of one sick dependency</li> </ul> <p>Circuit breaker says: <em>"nope, not calling this for a while"</em>. System breathes again.</p> <h2> What's inside </h2> <p><strong>Two trip strategies:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Trip after N consecutive failures</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithConsecutiveFailures</span><span class="p">(</span><span class="m">5</span><span class="p">)</span> <span class="c">// Trip when error rate exceeds threshold in time window</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithSlidingWindow</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">,</span> <span class="m">0.5</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="c">// 50% errors, min 10 requests</span> </code></pre> </div> <p><strong>State machine:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Closed → Open → Half-Open → Closed ↑___________| (probe fails) </code></pre> </div> <p><strong>Distributed support:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Share state across instances via Redis</span> <span class="n">store</span> <span class="o">:=</span> <span class="n">redisstore</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">redisClient</span><span class="p">)</span> <span class="n">breaker</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">cb</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"stripe"</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithStore</span><span class="p">(</span><span class="n">store</span><span class="p">))</span> </code></pre> </div> <h2> The numbers </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">BenchmarkExecute_Closed-8 89 ns/op 0 B/op 0 allocs/op BenchmarkExecute_Open-8 15 ns/op 0 B/op 0 allocs/op BenchmarkExecute_Parallel-8 45 ns/op 0 B/op 0 allocs/op </span></code></pre> </div> <p>Zero allocations in the hot path. No background goroutines. No magic.</p> <h2> Design constraints </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>No background workers</td> <td>Predictable resource usage</td> </tr> <tr> <td>No framework coupling</td> <td>Drop into any codebase</td> </tr> <tr> <td>Explicit configuration</td> <td>No surprises in production</td> </tr> <tr> <td>Simple state machine</td> <td>Easy to reason about at 3 AM</td> </tr> </tbody> </table></div> <p>~500 lines of code. One dependency (Redis client, optional).</p> <h2> Features </h2> <ul> <li>Consecutive failure counting</li> <li>Sliding window with error rate threshold</li> <li>Configurable half-open probes</li> <li>Custom failure detection (<code>WithIsFailure</code>)</li> <li>State change callbacks (<code>WithOnStateChange</code>)</li> <li>Redis store for distributed systems</li> <li>Thread-safe, race-free</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/aqylsoft/circuitbreaker go get github.com/aqylsoft/circuitbreaker/redisstore <span class="c"># optional</span> </code></pre> </div> <h2> The real reason this exists </h2> <p>I still remember staring at dashboards at 3 AM, watching everything slow down because of one broken dependency, and thinking: <em>"we should have done this properly from day one"</em>.</p> <p>This is me doing it properly. Years later.</p> <p><strong>GitHub:</strong> <a href="https://github.com/aqylsoft/circuitbreaker" rel="noopener noreferrer">https://github.com/aqylsoft/circuitbreaker</a></p> <p>PRs and issues welcome. If this is useful — a star would be nice.</p> go microservices architecture Zero-Dependency HTTP Fingerprinting Library in Go: Bot Detection with JA3 Maksat Ramazan Fri, 13 Mar 2026 12:56:53 +0000 https://dev.to/makennsky/zero-dependency-http-fingerprinting-library-in-go-bot-detection-with-ja3-3ad8 https://dev.to/makennsky/zero-dependency-http-fingerprinting-library-in-go-bot-detection-with-ja3-3ad8 <p>Last month I was building an API for a fintech project. We had rate limiting in place (using <a href="https://github.com/aqylsoft/kazrl" rel="noopener noreferrer">kazrl</a>, actually), but bots kept slipping through. They'd rotate IPs, spoof User-Agents, and our simple checks were useless.</p> <p>I needed something smarter. Something that could identify clients by <em>how</em> they make requests, not just <em>what</em> they send.</p> <p>That's when I went down the rabbit hole of HTTP fingerprinting. And after reading papers on JA3, TLS fingerprinting, and header analysis — I realized there was no simple Go library that did all of this without pulling in half the internet as dependencies.</p> <p>So I built <strong><a href="https://github.com/aqylsoft/reqdna" rel="noopener noreferrer">reqdna</a></strong> — a zero-dependency HTTP fingerprinting library for Go 1.26+.</p> <h2> What is HTTP Fingerprinting? </h2> <p>Every HTTP client leaves a unique "fingerprint" based on:</p> <ul> <li> <strong>TLS handshake</strong> — cipher suites, extensions, curves offered</li> <li> <strong>Header order</strong> — browsers send headers in specific sequences</li> <li> <strong>Header presence</strong> — real browsers send Accept-Language, bots often don't</li> <li> <strong>User-Agent patterns</strong> — obvious, but still useful in combination</li> </ul> <p>The key insight: <strong>even if a bot spoofs the User-Agent, it can't easily fake the TLS handshake</strong>. That's where JA3 comes in.</p> <h2> JA3: The TLS Fingerprint </h2> <p>JA3 is a method developed by Salesforce to fingerprint TLS clients. It extracts data from the ClientHello message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csvs"><code><span class="nv">Format:</span> <span class="k">SSLVersion</span><span class="p">,</span><span class="k">Ciphers</span><span class="p">,</span><span class="k">Extensions</span><span class="p">,</span><span class="k">EllipticCurves</span><span class="p">,</span><span class="k">ECPointFormats</span> <span class="nv">Example:</span> <span class="mf">771</span><span class="p">,</span><span class="mf">4865</span><span class="err">-</span><span class="mf">4866</span><span class="err">-</span><span class="mf">4867</span><span class="err">-</span><span class="mf">49196</span><span class="p">,</span><span class="mf">0</span><span class="err">-</span><span class="mf">23</span><span class="err">-</span><span class="mf">65281</span><span class="err">-</span><span class="mf">10</span><span class="err">-</span><span class="mf">11</span><span class="p">,</span><span class="mf">29</span><span class="err">-</span><span class="mf">23</span><span class="err">-</span><span class="mf">24</span><span class="p">,</span><span class="mf">0</span> <span class="nv">Hash:</span> <span class="k">MD</span><span class="mf">5</span> <span class="err">→</span> <span class="k">ada</span><span class="mf">70206e40642</span><span class="k">a</span><span class="mf">3e4461</span><span class="k">f</span><span class="mf">35503241</span><span class="k">d</span><span class="mf">5</span> </code></pre> </div> <p>Every browser version has a unique JA3 hash. Chrome, Firefox, curl, Python requests — all different. And here's the kicker: <strong>it's extremely hard to spoof</strong>.</p> <p>To fake a JA3 fingerprint, you'd need to modify the TLS library itself. Most bots don't bother.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Client</th> <th>JA3 Hash</th> </tr> </thead> <tbody> <tr> <td>Chrome</td> <td><code>b32309a26951912be7dba376398abc3b</code></td> </tr> <tr> <td>Firefox</td> <td><code>839bbe3ed07fed922ded5aaf714d6842</code></td> </tr> <tr> <td>curl</td> <td><code>456523fc94726331a4d5a2e1d40b2cd7</code></td> </tr> <tr> <td>Python requests</td> <td><code>3b5074b1b5d032e5620f69f9f700ff0e</code></td> </tr> </tbody> </table></div> <h2> Enter reqdna </h2> <p>Here's the simplest usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="s">"github.com/aqylsoft/reqdna"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">FromRequest</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Fingerprint:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">[</span><span class="o">:</span><span class="m">16</span><span class="p">])</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Bot Score:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">BotScore</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Is Bot:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">())</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Device:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Device</span><span class="o">.</span><span class="n">Type</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Device</span><span class="o">.</span><span class="n">Browser</span><span class="p">)</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>That's it. <strong>10 lines</strong> and you have:</p> <ul> <li>Stable fingerprint hash</li> <li>Bot probability score (0.0 - 1.0)</li> <li>Device/browser detection</li> <li>IP analysis (hashed for GDPR compliance)</li> </ul> <h2> The Fingerprint Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Fingerprint</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Hash</span> <span class="kt">string</span> <span class="c">// Stable SHA256 fingerprint</span> <span class="n">IP</span> <span class="n">IPInfo</span> <span class="c">// IP metadata (hashed by default)</span> <span class="n">TLS</span> <span class="n">TLSInfo</span> <span class="c">// TLS fingerprint with JA3</span> <span class="n">Headers</span> <span class="n">HeaderInfo</span> <span class="c">// Header analysis</span> <span class="n">Device</span> <span class="n">DeviceInfo</span> <span class="c">// OS, browser, device type</span> <span class="n">BotScore</span> <span class="kt">float64</span> <span class="c">// 0.0 - 1.0 probability</span> <span class="n">RequestedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>The <code>BotScore</code> is calculated from multiple signals:</p> <ul> <li>Missing standard headers (User-Agent, Accept, Accept-Language)</li> <li>Low header count (bots send minimal headers)</li> <li>Known bot patterns in User-Agent</li> <li>Header entropy (too uniform = suspicious)</li> <li>Outdated TLS versions</li> <li>Device type detection</li> </ul> <h2> Full JA3 Fingerprinting </h2> <p>Here's where it gets interesting. Go's <code>crypto/tls</code> package exposes <code>ClientHelloInfo</code> through the <code>GetConfigForClient</code> callback. This contains <strong>everything</strong> we need for JA3:</p> <ul> <li><code>SupportedVersions</code></li> <li><code>CipherSuites</code></li> <li> <code>Extensions</code> (added in Go 1.21!)</li> <li><code>SupportedCurves</code></li> <li><code>SupportedPoints</code></li> </ul> <p>No external dependencies. No C bindings. Pure Go stdlib.</p> <p>Here's how to enable full JA3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"crypto/tls"</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="s">"github.com/aqylsoft/reqdna"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// 1. Create store to capture ClientHello</span> <span class="n">store</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">NewClientHelloStore</span><span class="p">()</span> <span class="c">// 2. Wrap your TLS config</span> <span class="n">tlsConfig</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">WrapTLSConfig</span><span class="p">(</span><span class="o">&amp;</span><span class="n">tls</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">MinVersion</span><span class="o">:</span> <span class="n">tls</span><span class="o">.</span><span class="n">VersionTLS12</span><span class="p">,</span> <span class="p">},</span> <span class="n">store</span><span class="p">)</span> <span class="c">// 3. Use JA3-aware middleware</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span> <span class="n">wrapped</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareWithJA3</span><span class="p">(</span><span class="n">mux</span><span class="p">,</span> <span class="n">store</span><span class="p">)</span> <span class="c">// 4. Start HTTPS server</span> <span class="n">server</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="s">":443"</span><span class="p">,</span> <span class="n">Handler</span><span class="o">:</span> <span class="n">wrapped</span><span class="p">,</span> <span class="n">TLSConfig</span><span class="o">:</span> <span class="n">tlsConfig</span><span class="p">,</span> <span class="p">}</span> <span class="n">server</span><span class="o">.</span><span class="n">ListenAndServeTLS</span><span class="p">(</span><span class="s">"cert.pem"</span><span class="p">,</span> <span class="s">"key.pem"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">handler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">())</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Your fingerprint: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">[</span><span class="o">:</span><span class="m">16</span><span class="p">])</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Bot score: %.2f</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">BotScore</span><span class="p">)</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"JA3 Hash: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span><span class="o">.</span><span class="n">Hash</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"JA3 String: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span><span class="o">.</span><span class="n">String</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The magic happens in <code>WrapTLSConfig</code>. It intercepts the TLS handshake, captures the ClientHello, and stores it keyed by remote address. The middleware then retrieves it and computes the full JA3.</p> <h2> How JA3 Computation Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Simplified from ja3.go</span> <span class="k">func</span> <span class="n">ComputeJA3</span><span class="p">(</span><span class="n">hello</span> <span class="o">*</span><span class="n">tls</span><span class="o">.</span><span class="n">ClientHelloInfo</span><span class="p">)</span> <span class="o">*</span><span class="n">JA3Info</span> <span class="p">{</span> <span class="c">// Filter out GREASE values (RFC 8701)</span> <span class="n">cipherSuites</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">CipherSuites</span><span class="p">)</span> <span class="n">extensions</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">Extensions</span><span class="p">)</span> <span class="n">curves</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">SupportedCurves</span><span class="p">)</span> <span class="c">// Build JA3 string</span> <span class="c">// Format: Version,Ciphers,Extensions,Curves,PointFormats</span> <span class="n">ja3String</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d,%s,%s,%s,%s"</span><span class="p">,</span> <span class="n">hello</span><span class="o">.</span><span class="n">SupportedVersions</span><span class="p">[</span><span class="m">0</span><span class="p">],</span> <span class="n">join</span><span class="p">(</span><span class="n">cipherSuites</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">extensions</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">curves</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">SupportedPoints</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="p">)</span> <span class="c">// MD5 hash for compatibility with original JA3</span> <span class="n">hash</span> <span class="o">:=</span> <span class="n">md5</span><span class="o">.</span><span class="n">Sum</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">ja3String</span><span class="p">))</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">JA3Info</span><span class="p">{</span> <span class="n">String</span><span class="o">:</span> <span class="n">ja3String</span><span class="p">,</span> <span class="n">Hash</span><span class="o">:</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">hash</span><span class="p">[</span><span class="o">:</span><span class="p">]),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>GREASE values (0x0a0a, 0x1a1a, etc.) are filtered per the JA3 spec — they're random values browsers insert to test server compatibility.</p> <h2> Bot Detection in Practice </h2> <p>Here's a real-world pattern for protecting an API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">protectedHandler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">())</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Internal error"</span><span class="p">,</span> <span class="m">500</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Hard block obvious bots</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">()</span> <span class="p">{</span> <span class="c">// BotScore &gt;= 0.7</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Access denied"</span><span class="p">,</span> <span class="m">403</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Flag suspicious requests for review</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsSuspicious</span><span class="p">()</span> <span class="p">{</span> <span class="c">// BotScore &gt;= 0.4</span> <span class="n">logSuspiciousRequest</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">fp</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Use fingerprint for smarter rate limiting</span> <span class="c">// Instead of just IP, use fp.Hash</span> <span class="k">if</span> <span class="o">!</span><span class="n">rateLimiter</span><span class="o">.</span><span class="n">Allow</span><span class="p">(</span><span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">)</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Too many requests"</span><span class="p">,</span> <span class="m">429</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Proceed with normal handling</span> <span class="n">handleRequest</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The key insight: <strong>fingerprint-based rate limiting is much harder to bypass than IP-based</strong>. Rotating IPs doesn't help when your TLS fingerprint stays the same.</p> <h2> Middleware Integration </h2> <p>Works with any router:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Standard library</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Middleware</span><span class="p">(</span><span class="n">mux</span><span class="p">)</span> <span class="c">// Chi</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">chi</span><span class="o">.</span><span class="n">NewRouter</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareFunc</span><span class="p">())</span> <span class="c">// With JA3 (requires HTTPS)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareFuncWithJA3</span><span class="p">(</span><span class="n">store</span><span class="p">))</span> </code></pre> </div> <h2> Performance </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">BenchmarkComputeJA3-12 815370 1411 ns/op 792 B/op 28 allocs BenchmarkFromRequest-12 298992 3972 ns/op 1016 B/op 26 allocs </span></code></pre> </div> <p><strong>~4μs per request</strong>. That's negligible compared to typical handler latency.</p> <h2> Privacy Considerations </h2> <p>By default, IP addresses are <strong>hashed with a salt</strong> before being included in the fingerprint. This means:</p> <ul> <li>You can identify repeat visitors</li> <li>You can't reverse the hash to get the original IP</li> <li>GDPR-friendly by design </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Custom salt for your application</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">FromRequest</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">WithHashSalt</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"FINGERPRINT_SALT"</span><span class="p">)),</span> <span class="p">)</span> </code></pre> </div> <h2> Testing Your Code </h2> <p>The library provides test helpers and interfaces for easy mocking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestBotBlocking</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Create a bot fingerprint for testing</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">TestBotFingerprint</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">()</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"should detect as bot"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Or use interfaces for dependency injection</span> <span class="k">type</span> <span class="n">mockExtractor</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">fp</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Fingerprint</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">mockExtractor</span><span class="p">)</span> <span class="n">Extract</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Fingerprint</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">fp</span> <span class="p">}</span> </code></pre> </div> <h2> What's Next? </h2> <p>Some ideas I'm considering:</p> <ul> <li> <strong>Known JA3 database</strong> — map hashes to known clients</li> <li> <strong>Behavioral analysis</strong> — request timing patterns</li> <li> <strong>WebSocket fingerprinting</strong> — extend to WS connections</li> <li> <strong>Integration with kazrl</strong> — fingerprint-aware rate limiting out of the box</li> </ul> <h2> Conclusion </h2> <p>Bot detection is an arms race. Simple checks like User-Agent validation haven't been effective for years. But TLS fingerprinting with JA3 raises the bar significantly — bots now need to modify their TLS stack to evade detection.</p> <p><strong>reqdna</strong> gives you all of this with zero dependencies, ~4μs overhead, and a clean API. It's the "DNA" of HTTP requests.</p> <p>Check it out: <a href="https://github.com/aqylsoft/reqdna" rel="noopener noreferrer">github.com/aqylsoft/reqdna</a></p> <p><em>If you found this useful, I also wrote about building a <a href="https://dev.to/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n">zero-dependency rate limiter</a> in Go. These two libraries work great together.</em></p> <p><strong>What fingerprinting techniques do you use for bot detection? Let me know in the comments!</strong></p> programming go computerscience softwareengineering Building a Zero-Dependency Rate Limiter in Go (Token Bucket, Leaky Bucket, Sliding Window) Maksat Ramazan Wed, 19 Nov 2025 14:49:26 +0000 https://dev.to/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n https://dev.to/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n <p>Rate limiting is essential for protecting APIs from abuse, ensuring fair resource allocation, and maintaining system stability. While there are existing solutions, I wanted to build something lightweight, performant, and easy to integrate into any Go project.</p> <p>Today, I'm sharing <strong>kazrl</strong> - a zero-dependency rate limiter library that implements three different algorithms and comes with ready-to-use middleware for popular Go web frameworks.</p> <h2> The Problem </h2> <p>Most rate limiting libraries either:</p> <ul> <li>Come with heavy dependencies</li> <li>Support only one algorithm</li> <li>Require complex setup for per-client limiting</li> <li>Lack middleware integration</li> </ul> <p>I needed something that:</p> <ul> <li>Has zero external dependencies</li> <li>Supports multiple algorithms (Token Bucket, Leaky Bucket, Sliding Window)</li> <li>Works with popular frameworks out of the box</li> <li>Provides flexible per-client rate limiting</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/Makennsky/kazrl </code></pre> </div> <p>That's it! No transitive dependencies to worry about.</p> <h2> Quick Start </h2> <p>Here's the simplest way to add rate limiting to your HTTP handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"net/http"</span> <span class="s">"github.com/Makennsky/kazrl"</span> <span class="s">"github.com/Makennsky/kazrl/middleware"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Create a rate limiter: 100 requests per second, burst of 200</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="c">// Apply middleware</span> <span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">limiter</span><span class="p">)</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"Hello, World!"</span><span class="p">))</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">rateLimitMiddleware</span><span class="p">(</span><span class="n">handler</span><span class="p">))</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>That's literally 10 lines of code to add rate limiting!</p> <h2> Three Algorithms, One Interface </h2> <p>Different use cases need different strategies. kazrl implements three battle-tested algorithms:</p> <h3> 1. Token Bucket </h3> <p>Perfect for APIs that need to allow bursts while maintaining average rate limits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 requests per second, allows bursts up to 20</span> </code></pre> </div> <p><strong>Use case</strong>: Public APIs, user-facing endpoints</p> <h3> 2. Leaky Bucket </h3> <p>Smooths out traffic spikes by processing requests at a constant rate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewLeakyBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// Processes 10 req/s, queues up to 20</span> </code></pre> </div> <p><strong>Use case</strong>: Protecting downstream services, database queries</p> <h3> 3. Sliding Window </h3> <p>Provides the most accurate rate limiting without fixed window edge cases.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewSlidingWindow</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 req/s with a sliding time window</span> </code></pre> </div> <p><strong>Use case</strong>: Strict rate enforcement, billing APIs</p> <p>All three implement the same interface, so switching is trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">RateLimiter</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Allow</span><span class="p">()</span> <span class="kt">bool</span> <span class="n">AllowN</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">bool</span> <span class="n">Wait</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="n">WaitN</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">error</span> <span class="n">Reserve</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="n">ReserveN</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">}</span> </code></pre> </div> <h2> Per-Client Rate Limiting Made Easy </h2> <p>The real power comes with per-client limiting. Here's how to rate limit by IP address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 req/s per IP</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="c">// Built-in IP extractor</span> <span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">rateLimitMiddleware</span><span class="p">(</span><span class="n">handler</span><span class="p">))</span> </code></pre> </div> <p>Each IP address automatically gets its own rate limiter instance. The library handles X-Forwarded-For and X-Real-IP headers correctly.</p> <h3> Rate Limit by API Key </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByAPIKey</span><span class="p">,</span> <span class="c">// Extracts from Authorization header</span> <span class="p">)</span> </code></pre> </div> <h3> Custom Key Functions </h3> <p>Need something more complex? Write your own key extractor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">customKeyFunc</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="c">// Rate limit by IP + endpoint combination</span> <span class="k">return</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="o">+</span> <span class="s">":"</span> <span class="o">+</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span> <span class="p">}</span> <span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">5</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="p">},</span> <span class="n">customKeyFunc</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> Framework Integration </h2> <p>kazrl provides native middleware for popular frameworks:</p> <h3> Gin </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Gin</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Echo </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">e</span> <span class="o">:=</span> <span class="n">echo</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">e</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Echo</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Fiber </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">app</span> <span class="o">:=</span> <span class="n">fiber</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">app</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Fiber</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Chi </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span> <span class="o">:=</span> <span class="n">chi</span><span class="o">.</span><span class="n">NewRouter</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Chi</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h2> Multi-Layer Rate Limiting </h2> <p>For advanced scenarios, you can stack multiple rate limiters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Global limit: 1000 req/s for all clients</span> <span class="n">globalLimiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">1000</span><span class="p">,</span> <span class="m">2000</span><span class="p">)</span> <span class="n">globalMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">globalLimiter</span><span class="p">)</span> <span class="c">// Per-IP limit: 10 req/s per client</span> <span class="n">perIPMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="p">)</span> <span class="c">// Stack them!</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">globalMiddleware</span><span class="p">(</span><span class="n">perIPMiddleware</span><span class="p">(</span><span class="n">yourHandler</span><span class="p">))</span> </code></pre> </div> <p>This protects against both individual abuse and total system overload.</p> <h2> Performance </h2> <p>Benchmarks on a modern system (Intel i7-1355U):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BenchmarkTokenBucketAllow-12 4,574,689 ops 255.6 ns/op 0 allocs/op BenchmarkLeakyBucketAllow-12 5,218,902 ops 208.3 ns/op 0 allocs/op BenchmarkSlidingWindowAllow-12 6,476,462 ops 198.6 ns/op 0 allocs/op </code></pre> </div> <p><strong>200-260 nanoseconds</strong> per operation with <strong>zero allocations</strong>. That's fast enough for the most demanding applications.</p> <h2> Production-Ready Features </h2> <h3> Context Support </h3> <p>All blocking operations support context cancellation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">ctx</span><span class="p">,</span> <span class="n">cancel</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithTimeout</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="m">1</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">defer</span> <span class="n">cancel</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">limiter</span><span class="o">.</span><span class="n">Wait</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// Handle timeout or cancellation</span> <span class="p">}</span> </code></pre> </div> <h3> Reservation API </h3> <p>For advanced use cases, you can reserve tokens and schedule work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">waitDuration</span> <span class="o">:=</span> <span class="n">limiter</span><span class="o">.</span><span class="n">Reserve</span><span class="p">()</span> <span class="k">if</span> <span class="n">waitDuration</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="c">// Schedule for later</span> <span class="n">time</span><span class="o">.</span><span class="n">AfterFunc</span><span class="p">(</span><span class="n">waitDuration</span><span class="p">,</span> <span class="n">processRequest</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Process immediately</span> <span class="n">processRequest</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h3> Thread-Safe </h3> <p>All operations are thread-safe. You can safely use the same limiter instance across multiple goroutines.</p> <h2> Algorithm Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Algorithm</th> <th>Burst Support</th> <th>Smoothing</th> <th>Memory</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>Token Bucket</td> <td>Yes</td> <td>No</td> <td>Low</td> <td>Public APIs, burst tolerance</td> </tr> <tr> <td>Leaky Bucket</td> <td>Queued</td> <td>Yes</td> <td>Medium</td> <td>Downstream protection</td> </tr> <tr> <td>Sliding Window</td> <td>No</td> <td>No</td> <td>High</td> <td>Strict enforcement</td> </tr> </tbody> </table></div> <h2> Implementation Insights </h2> <h3> Why Zero Dependencies? </h3> <p>Dependencies are a security and maintenance burden. By keeping kazrl dependency-free:</p> <ul> <li>No supply chain attacks via transitive dependencies</li> <li>Faster installation and smaller binaries</li> <li>No version conflicts with your other dependencies</li> <li>Easy to audit (&lt; 2000 lines of code)</li> </ul> <h3> Concurrency Design </h3> <p>Each algorithm uses <code>sync.Mutex</code> for thread-safety. While this might seem simple, it's actually the right choice here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">tokenBucket</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">Mutex</span> <span class="n">rate</span> <span class="kt">float64</span> <span class="n">burst</span> <span class="kt">int</span> <span class="n">tokens</span> <span class="kt">float64</span> <span class="n">lastUpdate</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>Lock contention is minimal because:</p> <ol> <li>Operations are extremely fast (&lt; 300ns)</li> <li>The critical section is tiny (just token math)</li> <li>Per-client limiting distributes the load</li> </ol> <p>For most applications, you'll never see contention. If you're handling millions of requests per second per endpoint, you might need a distributed solution anyway.</p> <h3> Memory Management </h3> <p>The library is designed to minimize allocations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// No allocations in the hot path</span> <span class="k">func</span> <span class="p">(</span><span class="n">tb</span> <span class="o">*</span><span class="n">tokenBucket</span><span class="p">)</span> <span class="n">Allow</span><span class="p">()</span> <span class="kt">bool</span> <span class="p">{</span> <span class="n">tb</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">tb</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="n">tb</span><span class="o">.</span><span class="n">refillTokens</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c">// Pure math, no allocations</span> <span class="k">if</span> <span class="n">tb</span><span class="o">.</span><span class="n">tokens</span> <span class="o">&gt;=</span> <span class="m">1.0</span> <span class="p">{</span> <span class="n">tb</span><span class="o">.</span><span class="n">tokens</span> <span class="o">-=</span> <span class="m">1.0</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> </code></pre> </div> <p>The only allocations happen when creating new per-client limiters, which is infrequent.</p> <h2> Real-World Example </h2> <p>Here's a complete example of a production-ready API server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"net/http"</span> <span class="s">"github.com/Makennsky/kazrl"</span> <span class="s">"github.com/Makennsky/kazrl/middleware"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Global rate limit: 10,000 req/s</span> <span class="n">globalLimiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10000</span><span class="p">,</span> <span class="m">20000</span><span class="p">)</span> <span class="n">globalMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">globalLimiter</span><span class="p">)</span> <span class="c">// Per-IP rate limit: 100 req/s</span> <span class="n">perIPMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="p">)</span> <span class="c">// API handler</span> <span class="n">apiHandler</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">response</span> <span class="o">:=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"status"</span><span class="o">:</span> <span class="s">"ok"</span><span class="p">,</span> <span class="s">"message"</span><span class="o">:</span> <span class="s">"Request processed"</span><span class="p">,</span> <span class="p">}</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="p">})</span> <span class="c">// Stack middleware</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">globalMiddleware</span><span class="p">(</span><span class="n">perIPMiddleware</span><span class="p">(</span><span class="n">apiHandler</span><span class="p">)))</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> When to Use Each Algorithm </h2> <p><strong>Token Bucket</strong> - Default choice</p> <ul> <li>Public APIs</li> <li>User-facing endpoints</li> <li>Services that need burst capacity</li> <li>Not suitable when strict rate enforcement is needed</li> </ul> <p><strong>Leaky Bucket</strong> - Traffic shaping</p> <ul> <li>Protecting slow downstream services</li> <li>Database query rate limiting</li> <li>Smoothing traffic spikes</li> <li>Not suitable when you need to allow bursts</li> </ul> <p><strong>Sliding Window</strong> - Strict enforcement</p> <ul> <li>Billing/metered APIs</li> <li>When accuracy is critical</li> <li>Preventing gaming fixed windows</li> <li>Not suitable when you need burst capacity</li> </ul> <h2> Future Plans </h2> <p>Ideas I'm considering:</p> <ul> <li>Distributed rate limiting (Redis backend)</li> <li>Prometheus metrics integration</li> <li>Response header injection (X-RateLimit-*)</li> <li>Dynamic rate adjustment based on system load</li> <li>gRPC interceptors</li> </ul> <p>What would you find useful? Let me know in the comments!</p> <h2> Resources </h2> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/Makennsky/kazrl" rel="noopener noreferrer">https://github.com/Makennsky/kazrl</a> </li> <li> <strong>Documentation</strong>: Full examples in README</li> <li> <strong>Benchmarks</strong>: Run <code>go test -bench=. -benchmem</code> </li> </ul> <h2> Try It Out </h2> <p>Give kazrl a try in your next project! It's production-ready, battle-tested, and takes 2 minutes to integrate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/Makennsky/kazrl </code></pre> </div> <p>If you find it useful, please star the repo on GitHub!</p> <p><strong>What rate limiting challenges have you faced?</strong> Share your experiences in the comments below!</p> <p><em>Built in Kazakhstan</em></p> go ratelimiting webdev