The latest articles on Forem by Maksat Ramazan (@makennsky). https://forem.com/makennsky https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2170029%2F0ba8bb5f-8036-467e-b98c-9f0bfa91d92d.jpg https://forem.com/makennsky en Maksat Ramazan Fri, 15 May 2026 08:25:04 +0000 https://forem.com/makennsky/i-made-my-go-linter-talk-to-claude-heres-what-i-learned-about-mcp-1530 https://forem.com/makennsky/i-made-my-go-linter-talk-to-claude-heres-what-i-learned-about-mcp-1530 <p>I built a fun side project ? a Go static analyzer that finds code smells. Then I made it work with Claude Code via MCP (Model Context Protocol). Now AI can roast your Go code automatically.</p> <p><strong>Repo:</strong> <a href="https://github.com/aqylsoft/godepvis" rel="noopener noreferrer">github.com/aqylsoft/godepvis</a></p> <h2> The Problem I Didn't Know I Had </h2> <p>You know that moment when you're reviewing a PR and you see a 200-line function? Or a method with 9 parameters? Or someone using <code>context.Background()</code> right next to a perfectly good <code>ctx</code>?</p> <p>These things aren't bugs. They compile fine. Tests pass. But they make you go "hmm" and reach for the comment button.</p> <p>I wanted a tool that catches these patterns automatically. Not to replace code review ? but to handle the boring "hey, this function is too long" comments so humans can focus on actual logic.</p> <p>Golangci-lint is great, but configuring it to catch architectural smells requires yoga-level flexibility. I wanted something opinionated and simple.</p> <p>So I built <code>godepvis</code>.</p> <h2> What godepvis Actually Detects </h2> <p>I call them "sins" because "code smells" sounds too polite. Here's what the tool catches:</p> <h3> The Heavy Hitters </h3> <p><strong><code>huge_function</code></strong> ? Functions over 50 lines. Yes, 50 is arbitrary. No, I won't debate it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Sin detected at user_service.go:45</span> <span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">UserService</span><span class="p">)</span> <span class="n">CreateUser</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">CreateUserRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">User</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// ... 87 lines of validation, database calls,</span> <span class="c">// event publishing, logging, and existential dread</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>huge_main</code></strong> ? The classic "I'll refactor it later" main.go that somehow handles config, DI, server setup, graceful shutdown, and your emotional baggage.</p> <p><strong><code>too_many_params</code></strong> ? Functions with 6+ parameters. Usually a sign you need a struct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Sin: 8 parameters. Your function is not a phone number.</span> <span class="k">func</span> <span class="n">processOrder</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">userID</span><span class="p">,</span> <span class="n">orderID</span><span class="p">,</span> <span class="n">productID</span> <span class="kt">string</span><span class="p">,</span> <span class="n">quantity</span> <span class="kt">int</span><span class="p">,</span> <span class="n">discount</span> <span class="kt">float64</span><span class="p">,</span> <span class="n">notify</span> <span class="kt">bool</span><span class="p">,</span> <span class="n">logger</span> <span class="o">*</span><span class="n">slog</span><span class="o">.</span><span class="n">Logger</span><span class="p">)</span> <span class="kt">error</span> </code></pre> </div> <h3> The Subtle Ones </h3> <p><strong><code>context_misuse</code></strong> ? Using <code>context.Background()</code> when you already have <code>ctx</code> in scope. This one's sneaky because it works, but breaks cancellation and tracing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Handler</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">event</span> <span class="n">Event</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ...</span> <span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">h</span><span class="o">.</span><span class="n">client</span><span class="o">.</span><span class="n">Call</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span> <span class="c">// Sin! Use ctx</span> <span class="c">// ...</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>no_tests</code></strong> ? Packages without <code>_test.go</code> files. Sometimes intentional, often forgotten.</p> <p><strong><code>todo_comments</code></strong> ? Those "I'll fix it tomorrow" comments from 2019.</p> <h2> The MCP Adventure </h2> <p>Here's where the weekend project became interesting.</p> <h3> What is MCP? </h3> <p>Model Context Protocol is Anthropic's way of letting AI assistants use external tools. Instead of the AI guessing or asking you to run commands, it can just... call your tool directly.</p> <p>Think of it as giving Claude hands to use your CLI.</p> <h3> The Implementation </h3> <p>MCP is surprisingly simple. It's JSON-RPC over stdio. Your tool:</p> <ol> <li>Receives a JSON request</li> <li>Does the thing</li> <li>Returns a JSON response</li> </ol> <p>Here's the core of my MCP handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">MCPServer</span><span class="p">)</span> <span class="n">handleToolCall</span><span class="p">(</span><span class="n">name</span> <span class="kt">string</span><span class="p">,</span> <span class="n">args</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">any</span><span class="p">)</span> <span class="p">(</span><span class="n">any</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">name</span> <span class="p">{</span> <span class="k">case</span> <span class="s">"analyze_code"</span><span class="o">:</span> <span class="n">path</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">args</span><span class="p">[</span><span class="s">"path"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="n">maxIssues</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">args</span><span class="p">[</span><span class="s">"max_issues"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">return</span> <span class="n">s</span><span class="o">.</span><span class="n">analyzeCode</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">maxIssues</span><span class="p">)</span> <span class="k">case</span> <span class="s">"list_sin_types"</span><span class="o">:</span> <span class="k">return</span> <span class="n">s</span><span class="o">.</span><span class="n">listSinTypes</span><span class="p">()</span> <span class="k">default</span><span class="o">:</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unknown tool: %s"</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The protocol handles capability negotiation, tool discovery, and error formatting. You just implement your logic.</p> <h3> What Claude Sees </h3> <p>When you add godepvis to Claude Code's MCP config, it gets two new tools:</p> <ul> <li> <code>analyze_code</code> ? Run the analyzer on a path</li> <li> <code>list_sin_types</code> ? Show what sins we can detect</li> </ul> <p>Now conversations like this work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User: analyze my Go code for smells Claude: I'll run godepvis on your project. *calls analyze_code tool* Found 20 issues in 519 files: ? huge_main `cmd/consumer/main.go:42` main() is 164 lines ? consider extracting setup logic ? context_misuse `handler.go:120` Using context.Background() but ctx is available in scope ? too_many_params `main.go:157` runWorkerLoop has 8 parameters ? consider a config struct Want me to help refactor any of these? </code></pre> </div> <p>The AI doesn't just report problems ? it can actually suggest fixes because it knows the exact location and context.</p> <h2> Lessons Learned (The Hard Way) </h2> <h3> 1. Keep Responses Concise </h3> <p>My first version returned every detail about every sin. Claude's context window filled up fast on large codebases. Now I return summaries with file:line references.</p> <h3> 2. Validate Inputs Religiously </h3> <p>AI will send weird stuff. Empty strings. Null values. Paths that don't exist. The number 42 as a string when you expected an int.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">maxIssues</span> <span class="o">:=</span> <span class="m">20</span> <span class="c">// default</span> <span class="k">if</span> <span class="n">v</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">args</span><span class="p">[</span><span class="s">"max_issues"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">);</span> <span class="n">ok</span> <span class="o">&amp;&amp;</span> <span class="n">v</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">parsed</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">v</span><span class="p">);</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">maxIssues</span> <span class="o">=</span> <span class="n">parsed</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Errors Should Be Helpful </h3> <p>When something fails, the AI will show your error to the user or try to fix it. Make errors actionable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Bad</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"failed"</span><span class="p">)</span> <span class="c">// Good</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"path %q does not exist or is not a Go module"</span><span class="p">,</span> <span class="n">path</span><span class="p">)</span> </code></pre> </div> <h3> 4. Test With Real AI Usage </h3> <p>Unit tests are great. But run your tool through Claude a few times. You'll find edge cases you never imagined.</p> <h2> The Architecture (Such As It Is) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>godepvis/ ??? cmd/godepvis/ # CLI entry point ??? internal/ ? ??? analyzer/ # The actual code analysis ? ??? mcp/ # MCP server implementation ? ??? sins/ # Sin definitions and detection ??? go.mod </code></pre> </div> <p>The analyzer walks Go AST, the sins package defines what to look for, and the MCP server wraps it for AI consumption.</p> <p>Nothing fancy. ~1500 lines of Go. The kind of codebase you can read in an afternoon.</p> <h2> Try It Yourself </h2> <h3> CLI Mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/aqylsoft/godepvis@latest <span class="c"># Analyze current directory</span> godepvis analyze ./... <span class="c"># Analyze specific path</span> godepvis analyze /path/to/your/project </code></pre> </div> <h3> With Claude Code </h3> <p>Add to <code>~/.claude/mcp.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"godepvis"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"godepvis"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mcp"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Restart Claude Code. Now you can ask it to analyze your Go code.</p> <h2> Is This Production Ready? </h2> <p>Let me be real: <strong>this is a weekend project</strong>.</p> <p>The detections work. The MCP integration is solid. But I built this to learn, not to replace your existing tooling.</p> <p>That said:</p> <ul> <li>It found real issues in my work codebase</li> <li>The MCP pattern is reusable for other tools</li> <li>It's fun to watch AI roast your code</li> </ul> <h2> What's Next? </h2> <p>Ideas I might implement (PRs welcome):</p> <ul> <li> <strong>Severity levels</strong> ? Not all sins are equal</li> <li> <strong>Auto-fix suggestions</strong> ? Generate the refactored code</li> <li> <strong>More sins</strong> ? Naked returns, error shadowing, import cycles</li> <li> <strong>Ignore patterns</strong> ? Sometimes long functions are okay</li> <li> <strong>VS Code extension</strong> ? Because why not</li> </ul> <h2> Wrapping Up </h2> <p>MCP is the real discovery here. The protocol is simple, the integration is smooth, and suddenly your CLI tools become AI capabilities.</p> <p>godepvis is just one example. Imagine:</p> <ul> <li>Database migration tools that AI can run</li> <li>Infrastructure linters AI can invoke</li> <li>Custom validators for your domain</li> </ul> <p>The barrier between "tool I use" and "tool AI uses" just got a lot lower.</p> <p><strong>What code smells annoy you the most?</strong> I'm looking for new sins to detect. Drop ideas in the comments.</p> <p><em>First time writing about AI tooling. First time publishing a Go analyzer. First time implementing MCP. Lots of firsts. Be gentle, but honest.</em></p> <p><a href="https://github.com/aqylsoft/godepvis" rel="noopener noreferrer">GitHub: aqylsoft/godepvis</a></p> go ai mcp claude Maksat Ramazan Tue, 12 May 2026 15:37:21 +0000 https://forem.com/makennsky/why-your-retry-logic-is-silently-charging-customers-twice-29d3 https://forem.com/makennsky/why-your-retry-logic-is-silently-charging-customers-twice-29d3 <p>You've seen this bug. Maybe you've shipped it.</p> <p>Client sends a payment request. Network hiccups. Client doesn't get a response, so it retries. Your handler runs twice. Two charges. One very angry customer.</p> <p>This isn't a race condition. It's not a bug in your database layer. It's a missing contract between the client and the server: <strong>idempotency</strong>.</p> <h2> What idempotency actually means in HTTP </h2> <p>An HTTP endpoint is idempotent if calling it multiple times with the same input produces the same result — and more importantly, the same <em>effect</em>.</p> <p><code>GET</code> is idempotent by definition. <code>DELETE</code> usually is. <code>POST /payments</code> is not — unless you build it that way.</p> <p>The pattern Stripe, Adyen, and most serious payment APIs use is the <strong>Idempotency-Key header</strong>: the client generates a unique key (usually a UUID) and sends it with every request. The server caches the response and returns it on any subsequent request with the same key, without re-executing the handler.</p> <p>Simple idea. Surprisingly few Go libraries implement it correctly.</p> <p>I built <a href="https://github.com/aqylsoft/once" rel="noopener noreferrer"><code>once</code></a> because I wanted something that handles the edge cases right — per-key locking, double-check pattern, configurable caching — without pulling in a framework. If you already have a solution you're happy with, this article might still be useful for the reasoning behind the implementation. If you don't, here's one that works.</p> <h2> The problems that make this non-trivial </h2> <p>Before jumping to code, here's what makes a naive implementation break in production.</p> <p><strong>1. Thundering herd on the first request</strong></p> <p>Ten retries arrive simultaneously. The key doesn't exist in the store yet. All ten pass the cache check, all ten acquire the handler. You've now processed the request ten times.</p> <p>The fix is a per-key lock: the first goroutine acquires it, executes the handler, stores the result. The other nine wait, then hit the cache. But locking introduces its own problem — you need a double-check after acquiring the lock, because another goroutine may have already written the result while you were waiting.</p> <p><strong>2. What to cache when the handler fails</strong></p> <p>If your handler returns a 500, do you cache that? If yes, retries get a cached error instead of a real retry. If no, the thundering herd problem is back for any request that fails.</p> <p>The right answer: make it configurable. Cache only <code>200</code>, <code>201</code>, <code>204</code> by default. Let the caller decide what counts as a final response.</p> <p><strong>3. Same key, different body</strong></p> <p>Client sends key <code>abc</code> with <code>amount=100</code>. Something goes wrong client-side. It resends key <code>abc</code> with <code>amount=200</code>. If you just return the cached response, you've silently ignored a changed request.</p> <p>Stripe returns <code>422</code> in this case. You should too — optionally, since the hash check has a cost.</p> <p><strong>4. Concurrent lock on the same key in progress</strong></p> <p>If a request is actively being processed (lock held), a duplicate arriving at that exact moment shouldn't wait — it should get <code>409 Conflict</code> immediately, so the client knows to back off and retry later rather than pile up.</p> <h2> Building it as middleware </h2> <p>I wanted something that drops into any <code>net/http</code> stack without dependencies, with a pluggable store interface — the same approach I used for <a href="https://github.com/aqylsoft/circuitbreaker" rel="noopener noreferrer"><code>circuitbreaker</code></a>.</p> <p>The core interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Store</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Get</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">Response</span><span class="p">,</span> <span class="kt">bool</span><span class="p">)</span> <span class="n">Set</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">,</span> <span class="n">resp</span> <span class="o">*</span><span class="n">Response</span><span class="p">,</span> <span class="n">ttl</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="kt">error</span> <span class="n">Lock</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="n">unlock</span> <span class="k">func</span><span class="p">(),</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The middleware logic, simplified:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">New</span><span class="p">(</span><span class="n">store</span> <span class="n">Store</span><span class="p">,</span> <span class="n">opts</span> <span class="o">...</span><span class="n">Option</span><span class="p">)</span> <span class="k">func</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">key</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">cfg</span><span class="o">.</span><span class="n">header</span><span class="p">)</span> <span class="c">// No key: pass through or reject, depending on config</span> <span class="k">if</span> <span class="n">key</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">requireKey</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Idempotency-Key header is required"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Cache hit: return stored response</span> <span class="k">if</span> <span class="n">cached</span><span class="p">,</span> <span class="n">found</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">);</span> <span class="n">found</span> <span class="p">{</span> <span class="n">cached</span><span class="o">.</span><span class="n">writeTo</span><span class="p">(</span><span class="n">w</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Acquire per-key lock</span> <span class="n">unlock</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Lock</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="n">ErrLocked</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Request in progress"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusConflict</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">unlock</span><span class="p">()</span> <span class="c">// Double-check after lock (another goroutine may have written it)</span> <span class="k">if</span> <span class="n">cached</span><span class="p">,</span> <span class="n">found</span> <span class="o">:=</span> <span class="n">store</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">);</span> <span class="n">found</span> <span class="p">{</span> <span class="n">cached</span><span class="o">.</span><span class="n">writeTo</span><span class="p">(</span><span class="n">w</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Execute handler, capture response</span> <span class="n">rw</span> <span class="o">:=</span> <span class="n">newResponseWriter</span><span class="p">(</span><span class="n">w</span><span class="p">)</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">rw</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="c">// Store only if status is considered final</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">cacheableStatus</span><span class="p">[</span><span class="n">rw</span><span class="o">.</span><span class="n">statusCode</span><span class="p">]</span> <span class="p">{</span> <span class="n">store</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">rw</span><span class="o">.</span><span class="n">toResponse</span><span class="p">(</span><span class="n">requestHash</span><span class="p">),</span> <span class="n">cfg</span><span class="o">.</span><span class="n">ttl</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The double-check after acquiring the lock is what separates a correct implementation from one that looks correct in testing and fails at 3am.</p> <h2> Response capture </h2> <p>To cache what the handler wrote, you need to intercept writes to <code>http.ResponseWriter</code>. The standard approach — wrap it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">responseWriter</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span> <span class="n">statusCode</span> <span class="kt">int</span> <span class="n">body</span> <span class="p">[]</span><span class="kt">byte</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">rw</span> <span class="o">*</span><span class="n">responseWriter</span><span class="p">)</span> <span class="n">WriteHeader</span><span class="p">(</span><span class="n">code</span> <span class="kt">int</span><span class="p">)</span> <span class="p">{</span> <span class="n">rw</span><span class="o">.</span><span class="n">statusCode</span> <span class="o">=</span> <span class="n">code</span> <span class="n">rw</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">rw</span> <span class="o">*</span><span class="n">responseWriter</span><span class="p">)</span> <span class="n">Write</span><span class="p">(</span><span class="n">b</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="p">)</span> <span class="p">{</span> <span class="n">rw</span><span class="o">.</span><span class="n">body</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">rw</span><span class="o">.</span><span class="n">body</span><span class="p">,</span> <span class="n">b</span><span class="o">...</span><span class="p">)</span> <span class="k">return</span> <span class="n">rw</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>This captures both the status code and body, so you can store a complete response and replay it exactly on cache hits.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">store</span> <span class="o">:=</span> <span class="n">once</span><span class="o">.</span><span class="n">NewMemoryStore</span><span class="p">()</span> <span class="k">defer</span> <span class="n">store</span><span class="o">.</span><span class="n">Stop</span><span class="p">()</span> <span class="n">middleware</span> <span class="o">:=</span> <span class="n">once</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">store</span><span class="p">,</span> <span class="n">once</span><span class="o">.</span><span class="n">WithTTL</span><span class="p">(</span><span class="m">24</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">),</span> <span class="n">once</span><span class="o">.</span><span class="n">WithRequireKey</span><span class="p">(</span><span class="no">true</span><span class="p">),</span> <span class="n">once</span><span class="o">.</span><span class="n">WithRequestHashCheck</span><span class="p">(</span><span class="no">true</span><span class="p">),</span> <span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/payments"</span><span class="p">,</span> <span class="n">middleware</span><span class="p">(</span><span class="n">paymentHandler</span><span class="p">))</span> </code></pre> </div> <p>Client side:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/payments</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Idempotency-Key</span><span class="p">:</span> <span class="s">550e8400-e29b-41d4-a716-446655440000</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="p">{</span><span class="nl">"amount"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="nl">"currency"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USD"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>First request: handler executes, response cached, <code>X-Idempotent-Replayed: false</code>.<br><br> Any repeat with the same key: cached response returned, <code>X-Idempotent-Replayed: true</code>, handler never touched.</p> <h2> HTTP semantics </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Status</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>200</code></td> <td>Cached response replayed</td> </tr> <tr> <td><code>400</code></td> <td>Key required but missing</td> </tr> <tr> <td><code>409</code></td> <td>Same key currently in flight</td> </tr> <tr> <td><code>422</code></td> <td>Key exists but request body differs</td> </tr> </tbody> </table></div> <h2> Request body validation </h2> <p>When <code>WithRequestHashCheck(true)</code> is set, the middleware computes a SHA-256 of the request body and stores it alongside the response. On subsequent requests with the same key, it compares hashes — if they differ, it returns <code>422</code> instead of the cached result.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">hashRequestBody</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Body</span> <span class="o">=</span> <span class="n">io</span><span class="o">.</span><span class="n">NopCloser</span><span class="p">(</span><span class="n">bytes</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="c">// restore for handler</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">sha256</span><span class="o">.</span><span class="n">Sum256</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="k">return</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">h</span><span class="p">[</span><span class="o">:</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>One detail: after reading the body for hashing, you must restore <code>r.Body</code> — otherwise the handler sees an empty body. Easy to miss, painful to debug.</p> <h2> Benchmarks </h2> <p>Measured on Intel Core i7-1355U:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>ns/op</th> </tr> </thead> <tbody> <tr> <td>Cache hit</td> <td>2,834</td> </tr> <tr> <td>Cache hit (parallel)</td> <td>3,427</td> </tr> <tr> <td>Cache miss (first write)</td> <td>4,429</td> </tr> <tr> <td>Passthrough (no key)</td> <td>2,716</td> </tr> <tr> <td>With body hash check</td> <td>4,632</td> </tr> <tr> <td>Thundering herd (100 goroutines)</td> <td>618,231 total / 6,182 per goroutine</td> </tr> </tbody> </table></div> <p>Cache hits are cheap. The thundering herd test launches 100 concurrent goroutines for the same key — only one executes the handler, the rest wait and read from cache. The total time looks large; the per-goroutine cost is reasonable.</p> <h2> C shared library </h2> <p>There's a <code>cgo</code> subpackage that compiles <code>once</code> into a shared library (<code>libonce.so</code>) with a C API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="kt">void</span> <span class="nf">once_init</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span> <span class="kt">int</span> <span class="nf">once_check</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span> <span class="n">key</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">response</span><span class="p">,</span> <span class="kt">int</span> <span class="n">responseLen</span><span class="p">);</span> <span class="kt">int</span> <span class="nf">once_store</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span> <span class="n">key</span><span class="p">,</span> <span class="kt">int</span> <span class="n">statusCode</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">body</span><span class="p">,</span> <span class="kt">int</span> <span class="n">bodyLen</span><span class="p">,</span> <span class="kt">int</span> <span class="n">ttlSeconds</span><span class="p">);</span> <span class="kt">int</span> <span class="nf">once_lock</span><span class="p">(</span><span class="kt">char</span><span class="o">*</span> <span class="n">key</span><span class="p">);</span> <span class="kt">void</span> <span class="nf">once_unlock</span><span class="p">(</span><span class="kt">int</span> <span class="n">lockId</span><span class="p">);</span> </code></pre> </div> <p>This lets you use the same idempotency logic from PHP, Python, or any language with FFI — useful if you have a mixed-stack service where you want consistent behavior without reimplementing the semantics.</p> <h2> What this doesn't cover </h2> <p>In-memory store means the cache doesn't survive restarts and isn't shared across instances. For multi-instance deployments, you need a Redis-backed store. The <code>Store</code> interface is designed for that — a Redis implementation is a thin wrapper around <code>SET NX PX</code> for locking and regular <code>GET</code>/<code>SET</code> for caching.</p> <p>Also: this middleware handles HTTP-level idempotency. If your handler does external calls (third-party payment APIs, email sends), those need their own idempotency handling. The middleware can't protect you from non-idempotent side effects outside your service.</p> <h2> The library </h2> <p><a href="https://github.com/aqylsoft/once" rel="noopener noreferrer">github.com/aqylsoft/once</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/aqylsoft/once </code></pre> </div> <p>Zero external dependencies for the core package. MIT license.</p> <p>If you're building anything that takes money, sends notifications, or mutates state in response to external events — you probably need this.</p> go microservices architecture fintech Maksat Ramazan Tue, 31 Mar 2026 11:58:11 +0000 https://forem.com/makennsky/how-a-kind-of-working-payment-gateway-made-me-write-this-circuit-breaker-3fd2 https://forem.com/makennsky/how-a-kind-of-working-payment-gateway-made-me-write-this-circuit-breaker-3fd2 <h1> I got bored and wrote a circuit breaker </h1> <p>A few years ago I was working at a fintech company. We had an integration with a payment gateway. Critical one — money literally depended on it.</p> <p>One day it started behaving weird.</p> <p>Not down. Not healthy. Just <strong>slow enough to destroy everything</strong>.</p> <p>Requests were hanging. Threads piling up. Retries amplifying the problem. Other services started lagging. The gateway was still <em>responding</em> — just slowly enough to kill us.</p> <p>We needed a circuit breaker. We didn't have one. So we hacked something together in production. Ugly, tightly coupled, impossible to test.</p> <p>Fast forward to now — I built the circuit breaker I wish we had back then.</p> <h2> Show me the code </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">breaker</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">circuitbreaker</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"stripe"</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithConsecutiveFailures</span><span class="p">(</span><span class="m">5</span><span class="p">),</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithOpenTimeout</span><span class="p">(</span><span class="m">30</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">),</span> <span class="p">)</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">breaker</span><span class="o">.</span><span class="n">Execute</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="k">func</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">stripeClient</span><span class="o">.</span><span class="n">Charge</span><span class="p">(</span><span class="n">amount</span><span class="p">)</span> <span class="p">})</span> <span class="k">if</span> <span class="n">errors</span><span class="o">.</span><span class="n">Is</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">ErrCircuitOpen</span><span class="p">)</span> <span class="p">{</span> <span class="c">// fallback or fail fast</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Wrap any unreliable call — payment gateways, external APIs, legacy services, that one dependency that "kinda works".</p> <h2> Why not just use timeouts? </h2> <p>Timeouts protect your goroutine.<br> Circuit breakers protect your system.</p> <p>When a dependency becomes slow:</p> <ul> <li>retries multiply the load</li> <li>queues grow</li> <li>latency spreads</li> <li>healthy parts fail because of one sick dependency</li> </ul> <p>Circuit breaker says: <em>"nope, not calling this for a while"</em>. System breathes again.</p> <h2> What's inside </h2> <p><strong>Two trip strategies:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Trip after N consecutive failures</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithConsecutiveFailures</span><span class="p">(</span><span class="m">5</span><span class="p">)</span> <span class="c">// Trip when error rate exceeds threshold in time window</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithSlidingWindow</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">,</span> <span class="m">0.5</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="c">// 50% errors, min 10 requests</span> </code></pre> </div> <p><strong>State machine:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Closed → Open → Half-Open → Closed ↑___________| (probe fails) </code></pre> </div> <p><strong>Distributed support:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Share state across instances via Redis</span> <span class="n">store</span> <span class="o">:=</span> <span class="n">redisstore</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">redisClient</span><span class="p">)</span> <span class="n">breaker</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">cb</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"stripe"</span><span class="p">,</span> <span class="n">cb</span><span class="o">.</span><span class="n">WithStore</span><span class="p">(</span><span class="n">store</span><span class="p">))</span> </code></pre> </div> <h2> The numbers </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">BenchmarkExecute_Closed-8 89 ns/op 0 B/op 0 allocs/op BenchmarkExecute_Open-8 15 ns/op 0 B/op 0 allocs/op BenchmarkExecute_Parallel-8 45 ns/op 0 B/op 0 allocs/op </span></code></pre> </div> <p>Zero allocations in the hot path. No background goroutines. No magic.</p> <h2> Design constraints </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Rule</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>No background workers</td> <td>Predictable resource usage</td> </tr> <tr> <td>No framework coupling</td> <td>Drop into any codebase</td> </tr> <tr> <td>Explicit configuration</td> <td>No surprises in production</td> </tr> <tr> <td>Simple state machine</td> <td>Easy to reason about at 3 AM</td> </tr> </tbody> </table></div> <p>~500 lines of code. One dependency (Redis client, optional).</p> <h2> Features </h2> <ul> <li>Consecutive failure counting</li> <li>Sliding window with error rate threshold</li> <li>Configurable half-open probes</li> <li>Custom failure detection (<code>WithIsFailure</code>)</li> <li>State change callbacks (<code>WithOnStateChange</code>)</li> <li>Redis store for distributed systems</li> <li>Thread-safe, race-free</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/aqylsoft/circuitbreaker go get github.com/aqylsoft/circuitbreaker/redisstore <span class="c"># optional</span> </code></pre> </div> <h2> The real reason this exists </h2> <p>I still remember staring at dashboards at 3 AM, watching everything slow down because of one broken dependency, and thinking: <em>"we should have done this properly from day one"</em>.</p> <p>This is me doing it properly. Years later.</p> <p><strong>GitHub:</strong> <a href="https://github.com/aqylsoft/circuitbreaker" rel="noopener noreferrer">https://github.com/aqylsoft/circuitbreaker</a></p> <p>PRs and issues welcome. If this is useful — a star would be nice.</p> go microservices architecture Maksat Ramazan Fri, 13 Mar 2026 12:56:53 +0000 https://forem.com/makennsky/zero-dependency-http-fingerprinting-library-in-go-bot-detection-with-ja3-3ad8 https://forem.com/makennsky/zero-dependency-http-fingerprinting-library-in-go-bot-detection-with-ja3-3ad8 <p>Last month I was building an API for a fintech project. We had rate limiting in place (using <a href="https://github.com/aqylsoft/kazrl" rel="noopener noreferrer">kazrl</a>, actually), but bots kept slipping through. They'd rotate IPs, spoof User-Agents, and our simple checks were useless.</p> <p>I needed something smarter. Something that could identify clients by <em>how</em> they make requests, not just <em>what</em> they send.</p> <p>That's when I went down the rabbit hole of HTTP fingerprinting. And after reading papers on JA3, TLS fingerprinting, and header analysis — I realized there was no simple Go library that did all of this without pulling in half the internet as dependencies.</p> <p>So I built <strong><a href="https://github.com/aqylsoft/reqdna" rel="noopener noreferrer">reqdna</a></strong> — a zero-dependency HTTP fingerprinting library for Go 1.26+.</p> <h2> What is HTTP Fingerprinting? </h2> <p>Every HTTP client leaves a unique "fingerprint" based on:</p> <ul> <li> <strong>TLS handshake</strong> — cipher suites, extensions, curves offered</li> <li> <strong>Header order</strong> — browsers send headers in specific sequences</li> <li> <strong>Header presence</strong> — real browsers send Accept-Language, bots often don't</li> <li> <strong>User-Agent patterns</strong> — obvious, but still useful in combination</li> </ul> <p>The key insight: <strong>even if a bot spoofs the User-Agent, it can't easily fake the TLS handshake</strong>. That's where JA3 comes in.</p> <h2> JA3: The TLS Fingerprint </h2> <p>JA3 is a method developed by Salesforce to fingerprint TLS clients. It extracts data from the ClientHello message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csvs"><code><span class="nv">Format:</span> <span class="k">SSLVersion</span><span class="p">,</span><span class="k">Ciphers</span><span class="p">,</span><span class="k">Extensions</span><span class="p">,</span><span class="k">EllipticCurves</span><span class="p">,</span><span class="k">ECPointFormats</span> <span class="nv">Example:</span> <span class="mf">771</span><span class="p">,</span><span class="mf">4865</span><span class="err">-</span><span class="mf">4866</span><span class="err">-</span><span class="mf">4867</span><span class="err">-</span><span class="mf">49196</span><span class="p">,</span><span class="mf">0</span><span class="err">-</span><span class="mf">23</span><span class="err">-</span><span class="mf">65281</span><span class="err">-</span><span class="mf">10</span><span class="err">-</span><span class="mf">11</span><span class="p">,</span><span class="mf">29</span><span class="err">-</span><span class="mf">23</span><span class="err">-</span><span class="mf">24</span><span class="p">,</span><span class="mf">0</span> <span class="nv">Hash:</span> <span class="k">MD</span><span class="mf">5</span> <span class="err">→</span> <span class="k">ada</span><span class="mf">70206e40642</span><span class="k">a</span><span class="mf">3e4461</span><span class="k">f</span><span class="mf">35503241</span><span class="k">d</span><span class="mf">5</span> </code></pre> </div> <p>Every browser version has a unique JA3 hash. Chrome, Firefox, curl, Python requests — all different. And here's the kicker: <strong>it's extremely hard to spoof</strong>.</p> <p>To fake a JA3 fingerprint, you'd need to modify the TLS library itself. Most bots don't bother.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Client</th> <th>JA3 Hash</th> </tr> </thead> <tbody> <tr> <td>Chrome</td> <td><code>b32309a26951912be7dba376398abc3b</code></td> </tr> <tr> <td>Firefox</td> <td><code>839bbe3ed07fed922ded5aaf714d6842</code></td> </tr> <tr> <td>curl</td> <td><code>456523fc94726331a4d5a2e1d40b2cd7</code></td> </tr> <tr> <td>Python requests</td> <td><code>3b5074b1b5d032e5620f69f9f700ff0e</code></td> </tr> </tbody> </table></div> <h2> Enter reqdna </h2> <p>Here's the simplest usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="s">"github.com/aqylsoft/reqdna"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">FromRequest</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Fingerprint:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">[</span><span class="o">:</span><span class="m">16</span><span class="p">])</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Bot Score:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">BotScore</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Is Bot:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">())</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Device:"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Device</span><span class="o">.</span><span class="n">Type</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Device</span><span class="o">.</span><span class="n">Browser</span><span class="p">)</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>That's it. <strong>10 lines</strong> and you have:</p> <ul> <li>Stable fingerprint hash</li> <li>Bot probability score (0.0 - 1.0)</li> <li>Device/browser detection</li> <li>IP analysis (hashed for GDPR compliance)</li> </ul> <h2> The Fingerprint Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Fingerprint</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Hash</span> <span class="kt">string</span> <span class="c">// Stable SHA256 fingerprint</span> <span class="n">IP</span> <span class="n">IPInfo</span> <span class="c">// IP metadata (hashed by default)</span> <span class="n">TLS</span> <span class="n">TLSInfo</span> <span class="c">// TLS fingerprint with JA3</span> <span class="n">Headers</span> <span class="n">HeaderInfo</span> <span class="c">// Header analysis</span> <span class="n">Device</span> <span class="n">DeviceInfo</span> <span class="c">// OS, browser, device type</span> <span class="n">BotScore</span> <span class="kt">float64</span> <span class="c">// 0.0 - 1.0 probability</span> <span class="n">RequestedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>The <code>BotScore</code> is calculated from multiple signals:</p> <ul> <li>Missing standard headers (User-Agent, Accept, Accept-Language)</li> <li>Low header count (bots send minimal headers)</li> <li>Known bot patterns in User-Agent</li> <li>Header entropy (too uniform = suspicious)</li> <li>Outdated TLS versions</li> <li>Device type detection</li> </ul> <h2> Full JA3 Fingerprinting </h2> <p>Here's where it gets interesting. Go's <code>crypto/tls</code> package exposes <code>ClientHelloInfo</code> through the <code>GetConfigForClient</code> callback. This contains <strong>everything</strong> we need for JA3:</p> <ul> <li><code>SupportedVersions</code></li> <li><code>CipherSuites</code></li> <li> <code>Extensions</code> (added in Go 1.21!)</li> <li><code>SupportedCurves</code></li> <li><code>SupportedPoints</code></li> </ul> <p>No external dependencies. No C bindings. Pure Go stdlib.</p> <p>Here's how to enable full JA3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"crypto/tls"</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="s">"github.com/aqylsoft/reqdna"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// 1. Create store to capture ClientHello</span> <span class="n">store</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">NewClientHelloStore</span><span class="p">()</span> <span class="c">// 2. Wrap your TLS config</span> <span class="n">tlsConfig</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">WrapTLSConfig</span><span class="p">(</span><span class="o">&amp;</span><span class="n">tls</span><span class="o">.</span><span class="n">Config</span><span class="p">{</span> <span class="n">MinVersion</span><span class="o">:</span> <span class="n">tls</span><span class="o">.</span><span class="n">VersionTLS12</span><span class="p">,</span> <span class="p">},</span> <span class="n">store</span><span class="p">)</span> <span class="c">// 3. Use JA3-aware middleware</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="n">handler</span><span class="p">)</span> <span class="n">wrapped</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareWithJA3</span><span class="p">(</span><span class="n">mux</span><span class="p">,</span> <span class="n">store</span><span class="p">)</span> <span class="c">// 4. Start HTTPS server</span> <span class="n">server</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="s">":443"</span><span class="p">,</span> <span class="n">Handler</span><span class="o">:</span> <span class="n">wrapped</span><span class="p">,</span> <span class="n">TLSConfig</span><span class="o">:</span> <span class="n">tlsConfig</span><span class="p">,</span> <span class="p">}</span> <span class="n">server</span><span class="o">.</span><span class="n">ListenAndServeTLS</span><span class="p">(</span><span class="s">"cert.pem"</span><span class="p">,</span> <span class="s">"key.pem"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">handler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">())</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Your fingerprint: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">[</span><span class="o">:</span><span class="m">16</span><span class="p">])</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Bot score: %.2f</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">BotScore</span><span class="p">)</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"JA3 Hash: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span><span class="o">.</span><span class="n">Hash</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"JA3 String: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">fp</span><span class="o">.</span><span class="n">TLS</span><span class="o">.</span><span class="n">JA3</span><span class="o">.</span><span class="n">String</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The magic happens in <code>WrapTLSConfig</code>. It intercepts the TLS handshake, captures the ClientHello, and stores it keyed by remote address. The middleware then retrieves it and computes the full JA3.</p> <h2> How JA3 Computation Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Simplified from ja3.go</span> <span class="k">func</span> <span class="n">ComputeJA3</span><span class="p">(</span><span class="n">hello</span> <span class="o">*</span><span class="n">tls</span><span class="o">.</span><span class="n">ClientHelloInfo</span><span class="p">)</span> <span class="o">*</span><span class="n">JA3Info</span> <span class="p">{</span> <span class="c">// Filter out GREASE values (RFC 8701)</span> <span class="n">cipherSuites</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">CipherSuites</span><span class="p">)</span> <span class="n">extensions</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">Extensions</span><span class="p">)</span> <span class="n">curves</span> <span class="o">:=</span> <span class="n">filterGREASE</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">SupportedCurves</span><span class="p">)</span> <span class="c">// Build JA3 string</span> <span class="c">// Format: Version,Ciphers,Extensions,Curves,PointFormats</span> <span class="n">ja3String</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%d,%s,%s,%s,%s"</span><span class="p">,</span> <span class="n">hello</span><span class="o">.</span><span class="n">SupportedVersions</span><span class="p">[</span><span class="m">0</span><span class="p">],</span> <span class="n">join</span><span class="p">(</span><span class="n">cipherSuites</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">extensions</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">curves</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="n">join</span><span class="p">(</span><span class="n">hello</span><span class="o">.</span><span class="n">SupportedPoints</span><span class="p">,</span> <span class="s">"-"</span><span class="p">),</span> <span class="p">)</span> <span class="c">// MD5 hash for compatibility with original JA3</span> <span class="n">hash</span> <span class="o">:=</span> <span class="n">md5</span><span class="o">.</span><span class="n">Sum</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">ja3String</span><span class="p">))</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">JA3Info</span><span class="p">{</span> <span class="n">String</span><span class="o">:</span> <span class="n">ja3String</span><span class="p">,</span> <span class="n">Hash</span><span class="o">:</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">hash</span><span class="p">[</span><span class="o">:</span><span class="p">]),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>GREASE values (0x0a0a, 0x1a1a, etc.) are filtered per the JA3 spec — they're random values browsers insert to test server compatibility.</p> <h2> Bot Detection in Practice </h2> <p>Here's a real-world pattern for protecting an API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">protectedHandler</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fp</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">())</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Internal error"</span><span class="p">,</span> <span class="m">500</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Hard block obvious bots</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">()</span> <span class="p">{</span> <span class="c">// BotScore &gt;= 0.7</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Access denied"</span><span class="p">,</span> <span class="m">403</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Flag suspicious requests for review</span> <span class="k">if</span> <span class="n">fp</span><span class="o">.</span><span class="n">IsSuspicious</span><span class="p">()</span> <span class="p">{</span> <span class="c">// BotScore &gt;= 0.4</span> <span class="n">logSuspiciousRequest</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">fp</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Use fingerprint for smarter rate limiting</span> <span class="c">// Instead of just IP, use fp.Hash</span> <span class="k">if</span> <span class="o">!</span><span class="n">rateLimiter</span><span class="o">.</span><span class="n">Allow</span><span class="p">(</span><span class="n">fp</span><span class="o">.</span><span class="n">Hash</span><span class="p">)</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Too many requests"</span><span class="p">,</span> <span class="m">429</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Proceed with normal handling</span> <span class="n">handleRequest</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The key insight: <strong>fingerprint-based rate limiting is much harder to bypass than IP-based</strong>. Rotating IPs doesn't help when your TLS fingerprint stays the same.</p> <h2> Middleware Integration </h2> <p>Works with any router:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Standard library</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Middleware</span><span class="p">(</span><span class="n">mux</span><span class="p">)</span> <span class="c">// Chi</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">chi</span><span class="o">.</span><span class="n">NewRouter</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareFunc</span><span class="p">())</span> <span class="c">// With JA3 (requires HTTPS)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">reqdna</span><span class="o">.</span><span class="n">MiddlewareFuncWithJA3</span><span class="p">(</span><span class="n">store</span><span class="p">))</span> </code></pre> </div> <h2> Performance </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">BenchmarkComputeJA3-12 815370 1411 ns/op 792 B/op 28 allocs BenchmarkFromRequest-12 298992 3972 ns/op 1016 B/op 26 allocs </span></code></pre> </div> <p><strong>~4μs per request</strong>. That's negligible compared to typical handler latency.</p> <h2> Privacy Considerations </h2> <p>By default, IP addresses are <strong>hashed with a salt</strong> before being included in the fingerprint. This means:</p> <ul> <li>You can identify repeat visitors</li> <li>You can't reverse the hash to get the original IP</li> <li>GDPR-friendly by design </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Custom salt for your application</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">FromRequest</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">WithHashSalt</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"FINGERPRINT_SALT"</span><span class="p">)),</span> <span class="p">)</span> </code></pre> </div> <h2> Testing Your Code </h2> <p>The library provides test helpers and interfaces for easy mocking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestBotBlocking</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Create a bot fingerprint for testing</span> <span class="n">fp</span> <span class="o">:=</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">TestBotFingerprint</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">fp</span><span class="o">.</span><span class="n">IsBot</span><span class="p">()</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="s">"should detect as bot"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Or use interfaces for dependency injection</span> <span class="k">type</span> <span class="n">mockExtractor</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">fp</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Fingerprint</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">m</span> <span class="o">*</span><span class="n">mockExtractor</span><span class="p">)</span> <span class="n">Extract</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="n">reqdna</span><span class="o">.</span><span class="n">Fingerprint</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">fp</span> <span class="p">}</span> </code></pre> </div> <h2> What's Next? </h2> <p>Some ideas I'm considering:</p> <ul> <li> <strong>Known JA3 database</strong> — map hashes to known clients</li> <li> <strong>Behavioral analysis</strong> — request timing patterns</li> <li> <strong>WebSocket fingerprinting</strong> — extend to WS connections</li> <li> <strong>Integration with kazrl</strong> — fingerprint-aware rate limiting out of the box</li> </ul> <h2> Conclusion </h2> <p>Bot detection is an arms race. Simple checks like User-Agent validation haven't been effective for years. But TLS fingerprinting with JA3 raises the bar significantly — bots now need to modify their TLS stack to evade detection.</p> <p><strong>reqdna</strong> gives you all of this with zero dependencies, ~4μs overhead, and a clean API. It's the "DNA" of HTTP requests.</p> <p>Check it out: <a href="https://github.com/aqylsoft/reqdna" rel="noopener noreferrer">github.com/aqylsoft/reqdna</a></p> <p><em>If you found this useful, I also wrote about building a <a href="https://dev.to/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n">zero-dependency rate limiter</a> in Go. These two libraries work great together.</em></p> <p><strong>What fingerprinting techniques do you use for bot detection? Let me know in the comments!</strong></p> programming go computerscience softwareengineering Maksat Ramazan Wed, 19 Nov 2025 14:49:26 +0000 https://forem.com/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n https://forem.com/makennsky/building-a-zero-dependency-rate-limiter-in-go-token-bucket-leaky-bucket-sliding-window-134n <p>Rate limiting is essential for protecting APIs from abuse, ensuring fair resource allocation, and maintaining system stability. While there are existing solutions, I wanted to build something lightweight, performant, and easy to integrate into any Go project.</p> <p>Today, I'm sharing <strong>kazrl</strong> - a zero-dependency rate limiter library that implements three different algorithms and comes with ready-to-use middleware for popular Go web frameworks.</p> <h2> The Problem </h2> <p>Most rate limiting libraries either:</p> <ul> <li>Come with heavy dependencies</li> <li>Support only one algorithm</li> <li>Require complex setup for per-client limiting</li> <li>Lack middleware integration</li> </ul> <p>I needed something that:</p> <ul> <li>Has zero external dependencies</li> <li>Supports multiple algorithms (Token Bucket, Leaky Bucket, Sliding Window)</li> <li>Works with popular frameworks out of the box</li> <li>Provides flexible per-client rate limiting</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/Makennsky/kazrl </code></pre> </div> <p>That's it! No transitive dependencies to worry about.</p> <h2> Quick Start </h2> <p>Here's the simplest way to add rate limiting to your HTTP handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"net/http"</span> <span class="s">"github.com/Makennsky/kazrl"</span> <span class="s">"github.com/Makennsky/kazrl/middleware"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Create a rate limiter: 100 requests per second, burst of 200</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="c">// Apply middleware</span> <span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">limiter</span><span class="p">)</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"Hello, World!"</span><span class="p">))</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">rateLimitMiddleware</span><span class="p">(</span><span class="n">handler</span><span class="p">))</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>That's literally 10 lines of code to add rate limiting!</p> <h2> Three Algorithms, One Interface </h2> <p>Different use cases need different strategies. kazrl implements three battle-tested algorithms:</p> <h3> 1. Token Bucket </h3> <p>Perfect for APIs that need to allow bursts while maintaining average rate limits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 requests per second, allows bursts up to 20</span> </code></pre> </div> <p><strong>Use case</strong>: Public APIs, user-facing endpoints</p> <h3> 2. Leaky Bucket </h3> <p>Smooths out traffic spikes by processing requests at a constant rate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewLeakyBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// Processes 10 req/s, queues up to 20</span> </code></pre> </div> <p><strong>Use case</strong>: Protecting downstream services, database queries</p> <h3> 3. Sliding Window </h3> <p>Provides the most accurate rate limiting without fixed window edge cases.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewSlidingWindow</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 req/s with a sliding time window</span> </code></pre> </div> <p><strong>Use case</strong>: Strict rate enforcement, billing APIs</p> <p>All three implement the same interface, so switching is trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">RateLimiter</span> <span class="k">interface</span> <span class="p">{</span> <span class="n">Allow</span><span class="p">()</span> <span class="kt">bool</span> <span class="n">AllowN</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">bool</span> <span class="n">Wait</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="n">WaitN</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">error</span> <span class="n">Reserve</span><span class="p">()</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="n">ReserveN</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">}</span> </code></pre> </div> <h2> Per-Client Rate Limiting Made Easy </h2> <p>The real power comes with per-client limiting. Here's how to rate limit by IP address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="c">// 10 req/s per IP</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="c">// Built-in IP extractor</span> <span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">rateLimitMiddleware</span><span class="p">(</span><span class="n">handler</span><span class="p">))</span> </code></pre> </div> <p>Each IP address automatically gets its own rate limiter instance. The library handles X-Forwarded-For and X-Real-IP headers correctly.</p> <h3> Rate Limit by API Key </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByAPIKey</span><span class="p">,</span> <span class="c">// Extracts from Authorization header</span> <span class="p">)</span> </code></pre> </div> <h3> Custom Key Functions </h3> <p>Need something more complex? Write your own key extractor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">customKeyFunc</span> <span class="o">:=</span> <span class="k">func</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="c">// Rate limit by IP + endpoint combination</span> <span class="k">return</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="o">+</span> <span class="s">":"</span> <span class="o">+</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span> <span class="p">}</span> <span class="n">rateLimitMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">5</span><span class="p">,</span> <span class="m">10</span><span class="p">)</span> <span class="p">},</span> <span class="n">customKeyFunc</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> Framework Integration </h2> <p>kazrl provides native middleware for popular frameworks:</p> <h3> Gin </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Gin</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Echo </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">e</span> <span class="o">:=</span> <span class="n">echo</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">e</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Echo</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Fiber </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">app</span> <span class="o">:=</span> <span class="n">fiber</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">app</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Fiber</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h3> Chi </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span> <span class="o">:=</span> <span class="n">chi</span><span class="o">.</span><span class="n">NewRouter</span><span class="p">()</span> <span class="n">limiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Chi</span><span class="p">(</span><span class="n">limiter</span><span class="p">))</span> </code></pre> </div> <h2> Multi-Layer Rate Limiting </h2> <p>For advanced scenarios, you can stack multiple rate limiters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// Global limit: 1000 req/s for all clients</span> <span class="n">globalLimiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">1000</span><span class="p">,</span> <span class="m">2000</span><span class="p">)</span> <span class="n">globalMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">globalLimiter</span><span class="p">)</span> <span class="c">// Per-IP limit: 10 req/s per client</span> <span class="n">perIPMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="p">)</span> <span class="c">// Stack them!</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">globalMiddleware</span><span class="p">(</span><span class="n">perIPMiddleware</span><span class="p">(</span><span class="n">yourHandler</span><span class="p">))</span> </code></pre> </div> <p>This protects against both individual abuse and total system overload.</p> <h2> Performance </h2> <p>Benchmarks on a modern system (Intel i7-1355U):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BenchmarkTokenBucketAllow-12 4,574,689 ops 255.6 ns/op 0 allocs/op BenchmarkLeakyBucketAllow-12 5,218,902 ops 208.3 ns/op 0 allocs/op BenchmarkSlidingWindowAllow-12 6,476,462 ops 198.6 ns/op 0 allocs/op </code></pre> </div> <p><strong>200-260 nanoseconds</strong> per operation with <strong>zero allocations</strong>. That's fast enough for the most demanding applications.</p> <h2> Production-Ready Features </h2> <h3> Context Support </h3> <p>All blocking operations support context cancellation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">ctx</span><span class="p">,</span> <span class="n">cancel</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithTimeout</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="m">1</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">defer</span> <span class="n">cancel</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">limiter</span><span class="o">.</span><span class="n">Wait</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// Handle timeout or cancellation</span> <span class="p">}</span> </code></pre> </div> <h3> Reservation API </h3> <p>For advanced use cases, you can reserve tokens and schedule work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">waitDuration</span> <span class="o">:=</span> <span class="n">limiter</span><span class="o">.</span><span class="n">Reserve</span><span class="p">()</span> <span class="k">if</span> <span class="n">waitDuration</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="c">// Schedule for later</span> <span class="n">time</span><span class="o">.</span><span class="n">AfterFunc</span><span class="p">(</span><span class="n">waitDuration</span><span class="p">,</span> <span class="n">processRequest</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Process immediately</span> <span class="n">processRequest</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h3> Thread-Safe </h3> <p>All operations are thread-safe. You can safely use the same limiter instance across multiple goroutines.</p> <h2> Algorithm Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Algorithm</th> <th>Burst Support</th> <th>Smoothing</th> <th>Memory</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>Token Bucket</td> <td>Yes</td> <td>No</td> <td>Low</td> <td>Public APIs, burst tolerance</td> </tr> <tr> <td>Leaky Bucket</td> <td>Queued</td> <td>Yes</td> <td>Medium</td> <td>Downstream protection</td> </tr> <tr> <td>Sliding Window</td> <td>No</td> <td>No</td> <td>High</td> <td>Strict enforcement</td> </tr> </tbody> </table></div> <h2> Implementation Insights </h2> <h3> Why Zero Dependencies? </h3> <p>Dependencies are a security and maintenance burden. By keeping kazrl dependency-free:</p> <ul> <li>No supply chain attacks via transitive dependencies</li> <li>Faster installation and smaller binaries</li> <li>No version conflicts with your other dependencies</li> <li>Easy to audit (&lt; 2000 lines of code)</li> </ul> <h3> Concurrency Design </h3> <p>Each algorithm uses <code>sync.Mutex</code> for thread-safety. While this might seem simple, it's actually the right choice here:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">tokenBucket</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">Mutex</span> <span class="n">rate</span> <span class="kt">float64</span> <span class="n">burst</span> <span class="kt">int</span> <span class="n">tokens</span> <span class="kt">float64</span> <span class="n">lastUpdate</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>Lock contention is minimal because:</p> <ol> <li>Operations are extremely fast (&lt; 300ns)</li> <li>The critical section is tiny (just token math)</li> <li>Per-client limiting distributes the load</li> </ol> <p>For most applications, you'll never see contention. If you're handling millions of requests per second per endpoint, you might need a distributed solution anyway.</p> <h3> Memory Management </h3> <p>The library is designed to minimize allocations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// No allocations in the hot path</span> <span class="k">func</span> <span class="p">(</span><span class="n">tb</span> <span class="o">*</span><span class="n">tokenBucket</span><span class="p">)</span> <span class="n">Allow</span><span class="p">()</span> <span class="kt">bool</span> <span class="p">{</span> <span class="n">tb</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">tb</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="n">tb</span><span class="o">.</span><span class="n">refillTokens</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c">// Pure math, no allocations</span> <span class="k">if</span> <span class="n">tb</span><span class="o">.</span><span class="n">tokens</span> <span class="o">&gt;=</span> <span class="m">1.0</span> <span class="p">{</span> <span class="n">tb</span><span class="o">.</span><span class="n">tokens</span> <span class="o">-=</span> <span class="m">1.0</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> </code></pre> </div> <p>The only allocations happen when creating new per-client limiters, which is infrequent.</p> <h2> Real-World Example </h2> <p>Here's a complete example of a production-ready API server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"net/http"</span> <span class="s">"github.com/Makennsky/kazrl"</span> <span class="s">"github.com/Makennsky/kazrl/middleware"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Global rate limit: 10,000 req/s</span> <span class="n">globalLimiter</span> <span class="o">:=</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">10000</span><span class="p">,</span> <span class="m">20000</span><span class="p">)</span> <span class="n">globalMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTP</span><span class="p">(</span><span class="n">globalLimiter</span><span class="p">)</span> <span class="c">// Per-IP rate limit: 100 req/s</span> <span class="n">perIPMiddleware</span> <span class="o">:=</span> <span class="n">middleware</span><span class="o">.</span><span class="n">HTTPWithKeyFunc</span><span class="p">(</span> <span class="k">func</span><span class="p">()</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">RateLimiter</span> <span class="p">{</span> <span class="k">return</span> <span class="n">kazrl</span><span class="o">.</span><span class="n">NewTokenBucket</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="m">200</span><span class="p">)</span> <span class="p">},</span> <span class="n">middleware</span><span class="o">.</span><span class="n">KeyByIP</span><span class="p">,</span> <span class="p">)</span> <span class="c">// API handler</span> <span class="n">apiHandler</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">response</span> <span class="o">:=</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"status"</span><span class="o">:</span> <span class="s">"ok"</span><span class="p">,</span> <span class="s">"message"</span><span class="o">:</span> <span class="s">"Request processed"</span><span class="p">,</span> <span class="p">}</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="p">})</span> <span class="c">// Stack middleware</span> <span class="n">http</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/api/"</span><span class="p">,</span> <span class="n">globalMiddleware</span><span class="p">(</span><span class="n">perIPMiddleware</span><span class="p">(</span><span class="n">apiHandler</span><span class="p">)))</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> When to Use Each Algorithm </h2> <p><strong>Token Bucket</strong> - Default choice</p> <ul> <li>Public APIs</li> <li>User-facing endpoints</li> <li>Services that need burst capacity</li> <li>Not suitable when strict rate enforcement is needed</li> </ul> <p><strong>Leaky Bucket</strong> - Traffic shaping</p> <ul> <li>Protecting slow downstream services</li> <li>Database query rate limiting</li> <li>Smoothing traffic spikes</li> <li>Not suitable when you need to allow bursts</li> </ul> <p><strong>Sliding Window</strong> - Strict enforcement</p> <ul> <li>Billing/metered APIs</li> <li>When accuracy is critical</li> <li>Preventing gaming fixed windows</li> <li>Not suitable when you need burst capacity</li> </ul> <h2> Future Plans </h2> <p>Ideas I'm considering:</p> <ul> <li>Distributed rate limiting (Redis backend)</li> <li>Prometheus metrics integration</li> <li>Response header injection (X-RateLimit-*)</li> <li>Dynamic rate adjustment based on system load</li> <li>gRPC interceptors</li> </ul> <p>What would you find useful? Let me know in the comments!</p> <h2> Resources </h2> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/Makennsky/kazrl" rel="noopener noreferrer">https://github.com/Makennsky/kazrl</a> </li> <li> <strong>Documentation</strong>: Full examples in README</li> <li> <strong>Benchmarks</strong>: Run <code>go test -bench=. -benchmem</code> </li> </ul> <h2> Try It Out </h2> <p>Give kazrl a try in your next project! It's production-ready, battle-tested, and takes 2 minutes to integrate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get github.com/Makennsky/kazrl </code></pre> </div> <p>If you find it useful, please star the repo on GitHub!</p> <p><strong>What rate limiting challenges have you faced?</strong> Share your experiences in the comments below!</p> <p><em>Built in Kazakhstan</em></p> go ratelimiting webdev