Authenticate first
Resolve a workspace key with one exact hash-keyed Redis lookup before opening an upstream connection.
API security proxy
ThrottleProxy combines workspace authentication, approved destinations, private-network blocking, credential separation, resource limits, and sanitized lifecycle evidence. It does not replace provider authentication or a complete enterprise gateway.
Practical boundaries
Resolve a workspace key with one exact hash-keyed Redis lookup before opening an upstream connection.
Require exact hosts or explicit one-level wildcard patterns before target safety validation.
Reject local, metadata, private, reserved, unsafe-port, and unsafe-protocol targets before outbound traffic.
Strip ThrottleProxy credentials, cookies, and hop-by-hop headers from the upstream request.
Apply request, response, queue, concurrency, idle, and absolute-duration limits.
Redact sensitive headers, query values, tokens, bodies, and raw upstream errors from lifecycle output.
No. Proxy credentials are removed before the outbound request. Providers that require authorization need a separate explicit credential mechanism.
Targets are checked for unsafe protocols, ports, local names, private and reserved addresses, metadata ranges, and unsafe DNS results.
Diagnostic and lifecycle objects are designed to preserve safe stage, timing, and status context without raw request or response bodies.
Use one workspace key, one exact public host, and non-sensitive test traffic.