Aegis
Aegis is a zero-trust, end-to-end encrypted HTTP gateway designed to eliminate data-scraping, XSS, and supply-chain tampering. By intercepting standard REST requests at the browser DOM layer and delegating encryption to an isolated OS-level GPG daemon, Aegis guarantees that private keys and plaintext payloads are never exposed to browser memory. Whether protecting sensitive APIs, enforcing OS-level Pinentry challenge-responses, or verifying client identity via Web Key Directory (WKD), Aegis provides a transparent, plug-and-play defense against modern browser-based vulnerabilities.
Aegis intercepts traditional REST payloads natively, encrypting them locally at the OS level before they ever hit the browser network stack.
A lightweight proxy injected into the DOM that overrides window.fetch and XMLHttpRequest. It autonomously intercepts REST calls, checks for 'x-gpg-support' headers, and tunnels payloads without modifying frontend logic.
Watch how request envelopes (including sensitive headers like JWT and body data) are securely encrypted and resolved in real-time.
Please enter the passphrase to unlock the GPG Secret Key:
Experience the entire zero-trust environment lifecycle in real-time. Follow the steps to resolve dependency requirements and authenticate securely using local GPG cryptography.
Publisher: Aegis Project
Explore the components that make up the Aegis HTTP end-to-end encrypted architecture.
Browser integrations intercepting traffic and bridging cryptography to the Operating System's local GPG core daemon.
Plug-and-play libraries that verify whether the Aegis extension is installed, manage connection configurations, and retrieve client status in a zero-configuration setup.
Plug-and-play modules running decryption filters on popular framework servers to reconstruct plaintext envelopes.
Aegis provides solid cryptographic mitigations against common attack vectors threatening modern web architectures.
In standard web wallets or crypto solutions, private keys reside in localStorage or JS Heap Memory. An attacker exploiting an XSS bug can extract these keys instantly. Aegis isolates keys inside the OS keyring, keeping them completely out of reach from malicious scripts.
Even if corporate firewalls inspect TLS certificates, or bad actors perform SSL stripping, payloads routed via Aegis travel as armored AES-256 PGP blocks. The data can only be decrypted by the final backend server holding the matching server key.
Outbound payloads are sealed with an ISO8601 Temporal Timestamp and an unpredictable UUID nonce (`_gpg_nonce`). The backend caches used nonces within a short TTL cache, automatically rejecting repeated identical requests.
To prevent malicious XSS code from leveraging the extension to silently decrypt data in the background, Aegis uses memory-bound, short-lived `x-gpg-session-token` strings generated only upon manual physical user approval (like a OS pinentry challenge).
Unlike standard application-level encryption that only protects the JSON body, Aegis encrypts the entire HTTP envelope (including custom headers like Authorization: Bearer JWT). This ensures session tokens are completely secure from corporate proxy inspection and passive snooping.
If an infected extension, malware, or local Trojan attempts to forge background requests using the victim's cookies, or if an attacker inspects connections via Developer Tools, they cannot intercept the plaintext. Because Aegis encrypts everything end-to-end, all transit payloads and Network tab logs remain strictly locked GPG ciphertext. Decryption only occurs securely outside the browser context.
How Aegis compares to traditional REST security systems
| Security Vector | Traditional HTTPS / TLS | HTTPS + Frontend JS Crypto | Aegis GPG Gateway |
|---|---|---|---|
| MitM & TLS Proxy Inspection | Vulnerable | Immune | Immune |
| XSS Private Key Theft | N/A (No Client Keys) | High Risk (LocalStorage/JS memory) | Immune (Isolated in OS Keyring) |
| Supply Chain (NPM) Interception | Vulnerable | Vulnerable (Script Manipulation) | Protected (Intercepted at Network Port) |
| Decryption Oracle Mitigation | N/A | No | Yes (Memory-Bound Interaction Tokens) |
| GET / DELETE URL Leak Protection | Exposed in Logs | Exposed in Logs | Hidden (Transparent Tunneling via POST /) |
Integrate Aegis into your current workflow. The frontend writes standard fetch commands while backend middlewares process incoming envelopes transparently.
Setup the dynamic DOM proxy to automatically capture calls and manage the session lifecycle.
import { AegisClient } from 'aegis-ts-sdk';
// Initialize the Aegis client hook
const aegis = new AegisClient({
serverPublicKeyUrl: 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xServerKeyID',
forceTunneling: true // Encapsulates GET/DELETE headers & endpoints into encrypted POST bodies
});
// Autonomously authenticate via OS keyring GPG signature
await aegis.login();
// Write standard fetch calls - payloads are encrypted transparently!
const response = await fetch('/api/secure-profile', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
SSN: "000-12-3456",
balance: 92834.12
})
});
const data = await response.json();
console.log('Decrypted response from server:', data);
Apply the GPG decryption filter globally. Standard Go controllers process plaintext requests directly.
package main
import (
"github.com/AegisHttp/gofiber-aegis"
"github.com/gofiber/fiber/v2"
)
func main() {
app := fiber.New()
// Inject Aegis Decryption Middleware globally
app.Use(aegis.New(aegis.Config{
PrivateKeyRingPath: "/home/server/.gnupg/secring.gpg",
PrivateKeyPassphrase: "SuperSecretBackendPassphrase",
KeyserverPublish: true, // Auto publishes server public key to Ubuntu keyservers
}))
// Your standard routing works out of the box with decrypted JSON payload
app.Post("/api/secure-profile", func(c *fiber.Ctx) error {
type RequestData struct {
SSN string `json:"SSN"`
Balance float64 `json:"balance"`
}
var req RequestData
if err := c.BodyParser(&req); err != nil {
return c.Status(400).SendString(err.Error())
}
return c.JSON(fiber.Map{
"status": "success",
"message": "Secure payload processed",
})
})
app.Listen(":8080")
}
Utilize GPG decrypt helpers inside Rust Tokio applications for secure high-throughput services.
use axum::{routing::post, Json, Router};
use aegis_tokio::DecryptLayer;
use serde::{Deserialize, Serialize};
#[derive(Deserialize)]
struct ProfileRequest {
ssn: String,
balance: f64,
}
#[derive(Serialize)]
struct ProfileResponse {
status: String,
}
async fn handle_profile(Json(payload): Json) -> Json {
// Process standard decrypted payload safely
Json(ProfileResponse {
status: format!("Processed secure profile for SSN length: {}", payload.ssn.len()),
})
}
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/api/secure-profile", post(handle_profile))
.layer(DecryptLayer::new("/etc/aegis/server_private.key"));
axum::Server::bind(&"0.0.0.0:8080".parse().unwrap())
.serve(app.into_make_service())
.await
.unwrap();
}
Directly decrypt requests and encrypt responses at the proxy layer. Make any language backend Zero-Trust instantly.
{
order aegis_http before reverse_proxy
}
:8080 {
# Route block containing Aegis handler
route {
aegis_http {
challenge_path /api/challenge
login_path /api/login
decrypt_requests
encrypt_responses
require_keyserver
check_revocation
tunneling_enabled
server_email "api@example.com"
server_passphrase "secret"
server_private_key_path "/etc/caddy/server_private.asc"
server_public_key_path "/etc/caddy/server_public.asc"
}
# Seamlessly forwards decrypted traffic to any standard backend
reverse_proxy localhost:3000
}
}
Follow these steps to configure your environment and run Aegis locally.
The native host acts as the secure bridge between the browser extension and your OS GPG keyring. Choose your platform installer:
aegis-host.exe installer from the official Releases page.
brew install aegishttp/tap/aegis-host
sudo add-apt-repository ppa:aegis-http/ppa
sudo apt update
sudo apt install aegis-host
sudo snap install aegis-host
yay -S aegis-host-bin
git clone https://github.com/AegisHttp/native-host-rust.git
cd native-host-rust
chmod +x install.sh
./install.sh
Download and install the official Aegis HTTP extension directly from the browser web stores:
Launch the example GoFiber server and spin up the frontend React workspace:
# Term 1: Run Backend
cd gofiber-aegis-http
go run main.go
# Term 2: Run React UI demo
cd ../react-frontend
npm install
npm run dev