How I Built an Open-Source API Gateway to Secure Backends Without Code Changes
If you've ever shipped an API, you know the drill:
One day it's working fine. Next day, you get alerts for SQL injection, XSS, or path traversal attempts. Adding security usually means rewriting middleware, integrating heavy SDKs, or paying enterprise prices for a WAF.
I got tired of that trade-off. So I built Backport — a lightweight, open-source API gateway that sits in front of your backend and handles security, rate limiting, and caching. Zero code changes required.
🎯 The Problem I Was Solving
- Most small teams & indie devs don't have a dedicated security engineer
- Cloudflare/enterprise WAFs charge $20+/mo just for custom regex rules
- Adding middleware to every route = tech debt + deployment friction
- Mocking & caching still require separate tools
I wanted something that just works out of the box, is transparent, and doesn't lock you in.
🛠 How Backport Works (Architecture)
graph LR
Client -->|HTTPS| Proxy[Backport Proxy]
Proxy -->|WAF + Rate Limit + Cache| Backend[Your API]
Proxy -->|Transform/Mock| Client
- Client requests
https://backport.in/proxy/users - Backport validates headers, checks WAF rules, applies rate limits
- If clean, forwards to your backend
- Response passes through transformation/cache layer before returning
Overhead: <5ms per request. Built for speed + security.
✨ Key Features
| Feature | What It Does |
|---|---|
| 🔒 Built-in WAF | 17+ patterns: SQLi, XSS, path traversal, command injection, XXE |
| 🧩 Custom Rules | Write your own regex threats — completely free |
| ⏱ Rate Limiting | Sliding window, 100–5000 req/min based on plan |
| 💾 LRU Caching | Auto-cache GET responses (5-min TTL, 1000 entries) |
| 🎭 API Mocking | Define mock endpoints for frontend dev or backend downtime |
| 🔄 Response Transform | Add/remove fields, rename keys on-the-fly |
| 🔑 Idempotency |
Idempotency-Key header support for safe retries |
🚀 Quick Start
# Point your client to the proxy instead of your backend
curl https://backport.in/proxy/users \
-H "X-API-Key: bk_your_key_here"
That's it. No SDK. No config files. Just set your backend URL in the dashboard and you're protected.
🔓 Open Source & Self-Hostable
Backport is MIT licensed
docker run -d -p 8000:8000 ghcr.io/suhail/backport:latest
- Backend: Python + FastAPI + SQLAlchemy
- Frontend: Next.js + React + TypeScript + Tailwind
- DB: PostgreSQL
- GitHub Repo | Docs
💰 Pricing (Transparent, No Surprises)
- Free: 100 req/min, 1 API key, basic analytics
- Plus: $5.99/mo → 500 req/min, 3 keys, mocking + transform
- Pro: $11.99/mo → 5000 req/min, custom WAF rules, webhooks
- Self-host: Free forever. Run it anywhere.
🙏 Why I'm Sharing This
I built Backport because I believe API security shouldn't be a luxury. Whether you're shipping a side project, an internal tool, or a client API — you deserve protection that doesn't require rewriting your stack or breaking the bank.
🔗 Try it free: backport.in
🌟 Star on GitHub: Qureshi-1/Backport-io
📅 Launching on Product Hunt: April 25, 2026
I'd love your feedback, bug reports, or feature requests. What's the #1 thing you'd want in an API gateway? Let me know in the comments! 👇
Built with ☕, FastAPI, and too many nginx config experiments.
Top comments (0)