How I Built an Open-Source API Gateway to Secure Backends Without Code Changes

Sohail Qureshi — Sat, 25 Apr 2026 02:34:16 +0000

How I Built an Open-Source API Gateway to Secure Backends Without Code Changes

If you've ever shipped an API, you know the drill:

One day it's working fine. Next day, you get alerts for SQL injection, XSS, or path traversal attempts. Adding security usually means rewriting middleware, integrating heavy SDKs, or paying enterprise prices for a WAF.

I got tired of that trade-off. So I built Backport — a lightweight, open-source API gateway that sits in front of your backend and handles security, rate limiting, and caching. Zero code changes required.

🎯 The Problem I Was Solving

Most small teams & indie devs don't have a dedicated security engineer
Cloudflare/enterprise WAFs charge $20+/mo just for custom regex rules
Adding middleware to every route = tech debt + deployment friction
Mocking & caching still require separate tools

I wanted something that just works out of the box, is transparent, and doesn't lock you in.

🛠 How Backport Works (Architecture)

graph LR
  Client -->|HTTPS| Proxy[Backport Proxy]
  Proxy -->|WAF + Rate Limit + Cache| Backend[Your API]
  Proxy -->|Transform/Mock| Client

Client requests https://backport.in/proxy/users
Backport validates headers, checks WAF rules, applies rate limits
If clean, forwards to your backend
Response passes through transformation/cache layer before returning

Overhead: <5ms per request. Built for speed + security.

✨ Key Features

Feature	What It Does
🔒 Built-in WAF	17+ patterns: SQLi, XSS, path traversal, command injection, XXE
🧩 Custom Rules	Write your own regex threats — completely free
⏱ Rate Limiting	Sliding window, 100–5000 req/min based on plan
💾 LRU Caching	Auto-cache GET responses (5-min TTL, 1000 entries)
🎭 API Mocking	Define mock endpoints for frontend dev or backend downtime
🔄 Response Transform	Add/remove fields, rename keys on-the-fly
🔑 Idempotency	`Idempotency-Key` header support for safe retries

🚀 Quick Start

# Point your client to the proxy instead of your backend
curl https://backport.in/proxy/users \
  -H "X-API-Key: bk_your_key_here"

That's it. No SDK. No config files. Just set your backend URL in the dashboard and you're protected.

🔓 Open Source & Self-Hostable

Backport is MIT licensed

docker run -d -p 8000:8000 ghcr.io/suhail/backport:latest

Backend: Python + FastAPI + SQLAlchemy
Frontend: Next.js + React + TypeScript + Tailwind
DB: PostgreSQL
GitHub Repo | Docs

💰 Pricing (Transparent, No Surprises)

Free: 100 req/min, 1 API key, basic analytics
Plus: $5.99/mo → 500 req/min, 3 keys, mocking + transform
Pro: $11.99/mo → 5000 req/min, custom WAF rules, webhooks
Self-host: Free forever. Run it anywhere.

🙏 Why I'm Sharing This

I built Backport because I believe API security shouldn't be a luxury. Whether you're shipping a side project, an internal tool, or a client API — you deserve protection that doesn't require rewriting your stack or breaking the bank.

🔗 Try it free: backport.in

🌟 Star on GitHub: Qureshi-1/Backport-io

📅 Launching on Product Hunt: April 25, 2026

I'd love your feedback, bug reports, or feature requests. What's the #1 thing you'd want in an API gateway? Let me know in the comments! 👇

Built with ☕, FastAPI, and too many nginx config experiments.

DEV Community: Sohail Qureshi

How I Built an Open-Source API Gateway to Secure Backends Without Code Changes

How I Built an Open-Source API Gateway to Secure Backends Without Code Changes

🎯 The Problem I Was Solving

🛠 How Backport Works (Architecture)

✨ Key Features

🚀 Quick Start

🔓 Open Source & Self-Hostable

💰 Pricing (Transparent, No Surprises)

🙏 Why I'm Sharing This