Aegis Logo Aegis
🛡️ Zero-Trust Architecture

Absolute End-to-End Encryption for standard REST APIs

Aegis is a zero-trust, end-to-end encrypted HTTP gateway designed to eliminate data-scraping, XSS, and supply-chain tampering. By intercepting standard REST requests at the browser DOM layer and delegating encryption to an isolated OS-level GPG daemon, Aegis guarantees that private keys and plaintext payloads are never exposed to browser memory. Whether protecting sensitive APIs, enforcing OS-level Pinentry challenge-responses, or verifying client identity via Web Key Directory (WKD), Aegis provides a transparent, plug-and-play defense against modern browser-based vulnerabilities.

🛡️ What is Aegis? In Greek mythology, the Aegis (Egis) is a legendary, invincible shield (or protective armor) carried by Zeus and Athena. It bears the head of Medusa, striking terror into enemies.

Interactive Architecture

Aegis intercepts traditional REST payloads natively, encrypting them locally at the OS level before they ever hit the browser network stack.

Frontend Hook
Fetch/XHR Proxy
DOM Hook
Browser extension
Aegis Extension
Native Messaging
OS Daemon
Rust Native Host
IPC Port
OS Secure Keyring
GPG Keychain
PGP Payload
Backend Layer
Gateway Middleware

🛡️ Transparent Browser Hook

A lightweight proxy injected into the DOM that overrides window.fetch and XMLHttpRequest. It autonomously intercepts REST calls, checks for 'x-gpg-support' headers, and tunnels payloads without modifying frontend logic.

Live Encryption Flow

Watch how request envelopes (including sensitive headers like JWT and body data) are securely encrypted and resolved in real-time.

Pinentry - GPG Passphrase user@mail.tdl

Please enter the passphrase to unlock the GPG Secret Key:

domain.tld WKD Server
.well-known/openpgpkey
Browser DOM
📄 HTTP Request (Plain)
METHOD: POST /api/user Authorization: Bearer eyJhbGciOi... Content-Type: application/json { "ssn": "000-12-3456", "balance": 92834.12 }
Backend Server
Client
Formulating REST API request in DOM. Session JWT header and body are in plaintext.
1/8

Interactive GPG Authentication Simulator

Experience the entire zero-trust environment lifecycle in real-time. Follow the steps to resolve dependency requirements and authenticate securely using local GPG cryptography.

https://console.acme.corp/login
Aegis

Aegis HTTP Extension Not Found! * Required

The Aegis web extension is needed to hook network requests and coordinate key discovery. Please install the browser extension to proceed.

Aegis HTTP Native Host Missing! * Required

The extension is installed, but the background Rust Native Messaging host is not running on your OS. It is required to safely interact with your local GPG binary.

PINENTRY - GPG PASSPHRASE USER@MAIL.TDL

Please enter the passphrase to unlock the GPG Secret Key:

Login Successful!

The signature has been verified by the Caddy Gateway. An encrypted session JWT has been issued to the client.

{
  "status": "success",
  "sessionToken": "gpg_session_92834b...",
  "user": "user@mail.tdl"
}
https://chrome.google.com/webstore/detail/aegis-http
Aegis

Aegis HTTP

Offered by: aegis-http.org

Aegis Secure E2E Tunneling Demo
bash - setup-native-host.sh
Ubuntu Software
Aegis

aegis-host

Publisher: Aegis Project

GPG Native Messaging Daemon for secure browser communication.
00:00 / 00:33

Ecosystem & Repositories

Explore the components that make up the Aegis HTTP end-to-end encrypted architecture.

Extensions & Hosts

Browser integrations intercepting traffic and bridging cryptography to the Operating System's local GPG core daemon.

Frontend SDKs

Plug-and-play libraries that verify whether the Aegis extension is installed, manage connection configurations, and retrieve client status in a zero-configuration setup.

Backend Middleware

Plug-and-play modules running decryption filters on popular framework servers to reconstruct plaintext envelopes.

Web Servers

Reverse-proxy gateway extensions providing transparent E2E decryption/encryption at the edge network layer.

Security Vulnerabilities Solved

Aegis provides solid cryptographic mitigations against common attack vectors threatening modern web architectures.

XSS (Cross-Site Scripting) Key Theft

In standard web wallets or crypto solutions, private keys reside in localStorage or JS Heap Memory. An attacker exploiting an XSS bug can extract these keys instantly. Aegis isolates keys inside the OS keyring, keeping them completely out of reach from malicious scripts.

Man-in-the-Middle (MitM) & TLS Stripping

Even if corporate firewalls inspect TLS certificates, or bad actors perform SSL stripping, payloads routed via Aegis travel as armored AES-256 PGP blocks. The data can only be decrypted by the final backend server holding the matching server key.

Replay Attacks

Outbound payloads are sealed with an ISO8601 Temporal Timestamp and an unpredictable UUID nonce (`_gpg_nonce`). The backend caches used nonces within a short TTL cache, automatically rejecting repeated identical requests.

DOM Decryption Oracle Attacks

To prevent malicious XSS code from leveraging the extension to silently decrypt data in the background, Aegis uses memory-bound, short-lived `x-gpg-session-token` strings generated only upon manual physical user approval (like a OS pinentry challenge).

Full HTTP Header & JWT Protection

Unlike standard application-level encryption that only protects the JSON body, Aegis encrypts the entire HTTP envelope (including custom headers like Authorization: Bearer JWT). This ensures session tokens are completely secure from corporate proxy inspection and passive snooping.

Malicious Plugin & Background Scraping Resistance

If an infected extension, malware, or local Trojan attempts to forge background requests using the victim's cookies, or if an attacker inspects connections via Developer Tools, they cannot intercept the plaintext. Because Aegis encrypts everything end-to-end, all transit payloads and Network tab logs remain strictly locked GPG ciphertext. Decryption only occurs securely outside the browser context.

Comparison Matrix

How Aegis compares to traditional REST security systems

Security Vector Traditional HTTPS / TLS HTTPS + Frontend JS Crypto Aegis GPG Gateway
MitM & TLS Proxy Inspection Vulnerable Immune Immune
XSS Private Key Theft N/A (No Client Keys) High Risk (LocalStorage/JS memory) Immune (Isolated in OS Keyring)
Supply Chain (NPM) Interception Vulnerable Vulnerable (Script Manipulation) Protected (Intercepted at Network Port)
Decryption Oracle Mitigation N/A No Yes (Memory-Bound Interaction Tokens)
GET / DELETE URL Leak Protection Exposed in Logs Exposed in Logs Hidden (Transparent Tunneling via POST /)

Developer Playbook

Integrate Aegis into your current workflow. The frontend writes standard fetch commands while backend middlewares process incoming envelopes transparently.

Client-Side SDK
Server Middleware
Gateway / Web Server

TypeScript Client Initialization

Setup the dynamic DOM proxy to automatically capture calls and manage the session lifecycle.

aegis-app.ts
import { AegisClient } from 'aegis-ts-sdk';

// Initialize the Aegis client hook
const aegis = new AegisClient({
  serverPublicKeyUrl: 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xServerKeyID',
  forceTunneling: true // Encapsulates GET/DELETE headers & endpoints into encrypted POST bodies
});

// Autonomously authenticate via OS keyring GPG signature
await aegis.login();

// Write standard fetch calls - payloads are encrypted transparently!
const response = await fetch('/api/secure-profile', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    SSN: "000-12-3456",
    balance: 92834.12
  })
});

const data = await response.json();
console.log('Decrypted response from server:', data);

GoFiber Middleware Setup

Apply the GPG decryption filter globally. Standard Go controllers process plaintext requests directly.

main.go
package main

import (
	"github.com/AegisHttp/gofiber-aegis"
	"github.com/gofiber/fiber/v2"
)

func main() {
	app := fiber.New()

	// Inject Aegis Decryption Middleware globally
	app.Use(aegis.New(aegis.Config{
		PrivateKeyRingPath: "/home/server/.gnupg/secring.gpg",
		PrivateKeyPassphrase: "SuperSecretBackendPassphrase",
		KeyserverPublish: true, // Auto publishes server public key to Ubuntu keyservers
	}))

	// Your standard routing works out of the box with decrypted JSON payload
	app.Post("/api/secure-profile", func(c *fiber.Ctx) error {
		type RequestData struct {
			SSN     string  `json:"SSN"`
			Balance float64 `json:"balance"`
		}

		var req RequestData
		if err := c.BodyParser(&req); err != nil {
			return c.Status(400).SendString(err.Error())
		}

		return c.JSON(fiber.Map{
			"status": "success",
			"message": "Secure payload processed",
		})
	})

	app.Listen(":8080")
}

Rust Tokio / Axum Handler

Utilize GPG decrypt helpers inside Rust Tokio applications for secure high-throughput services.

main.rs
use axum::{routing::post, Json, Router};
use aegis_tokio::DecryptLayer;
use serde::{Deserialize, Serialize};

#[derive(Deserialize)]
struct ProfileRequest {
    ssn: String,
    balance: f64,
}

#[derive(Serialize)]
struct ProfileResponse {
    status: String,
}

async fn handle_profile(Json(payload): Json) -> Json {
    // Process standard decrypted payload safely
    Json(ProfileResponse {
        status: format!("Processed secure profile for SSN length: {}", payload.ssn.len()),
    })
}

#[tokio::main]
async fn main() {
    let app = Router::new()
        .route("/api/secure-profile", post(handle_profile))
        .layer(DecryptLayer::new("/etc/aegis/server_private.key"));

    axum::Server::bind(&"0.0.0.0:8080".parse().unwrap())
        .serve(app.into_make_service())
        .await
        .unwrap();
}

Caddy Gateway Configuration

Directly decrypt requests and encrypt responses at the proxy layer. Make any language backend Zero-Trust instantly.

Caddyfile
{
    order aegis_http before reverse_proxy
}

:8080 {
    # Route block containing Aegis handler
    route {
        aegis_http {
            challenge_path /api/challenge
            login_path /api/login
            decrypt_requests
            encrypt_responses
            require_keyserver
            check_revocation
            tunneling_enabled
            server_email "api@example.com"
            server_passphrase "secret"
            server_private_key_path "/etc/caddy/server_private.asc"
            server_public_key_path "/etc/caddy/server_public.asc"
        }

        # Seamlessly forwards decrypted traffic to any standard backend
        reverse_proxy localhost:3000
    }
}

Quick Start & Setup

Follow these steps to configure your environment and run Aegis locally.

1

Install & Register the Native Messaging Host

The native host acts as the secure bridge between the browser extension and your OS GPG keyring. Choose your platform installer:

Windows: Download the pre-built aegis-host.exe installer from the official Releases page.
macOS: Install via Homebrew tap:
Homebrew
brew install aegishttp/tap/aegis-host
Linux:
  • Ubuntu / Debian (APT PPA): Install official PPA:
    Terminal
    sudo add-apt-repository ppa:aegis-http/ppa
    sudo apt update
    sudo apt install aegis-host
  • Snap Store (Any distro): Install via Snap:
    Terminal
    sudo snap install aegis-host
  • Arch Linux (AUR): Install AUR binary:
    Terminal
    yay -S aegis-host-bin
  • Compile from Source:
    Terminal
    git clone https://github.com/AegisHttp/native-host-rust.git
    cd native-host-rust
    chmod +x install.sh
    ./install.sh
2

Install the Browser Extension

Download and install the official Aegis HTTP extension directly from the browser web stores:

3

Start Backend & Frontend Services

Launch the example GoFiber server and spin up the frontend React workspace:

terminal
# Term 1: Run Backend
cd gofiber-aegis-http
go run main.go

# Term 2: Run React UI demo
cd ../react-frontend
npm install
npm run dev

Special Thanks

Özgür Yazılım Derneği Hackerspace İstanbul