How it works
You ask a question. We give you an answer. That's it.
Acrossed is not a proxy, not a WAF appliance, not a piece of infrastructure you run. It's a hosted HTTP API that takes one input — "should I allow this request?" — and returns one output: allow or deny, signed.
The mental model
- 1Your app receives a request.
Could be a page view, an API call, a login attempt — anything.
- 2The Acrossed SDK builds a fingerprint.
IP, method, path, the headers you care about. No body. No PII you didn't explicitly send.
- 3It calls /check.
One HTTPS POST. We sign it with your secret. Round-trip on a same-region call: 5–25 ms. Engine work: under a millisecond.
- 4We answer ALLOW or DENY, with a reason.
Your code does
if (d.deny) return 403. Done.
import { Acrossed } from "acrossed";
const ac = new Acrossed({
apiKey: process.env.ACROSSED_KEY,
signingSecret: process.env.ACROSSED_SECRET,
});
// Express middleware — one call per request.
app.use(async (req, res, next) => {
const d = await ac.check(req);
if (d.deny) return res.status(403).send(d.reason);
next();
});When to use Acrossed
Block bad IPs across every service you run
One ruleset, every app. When you ban an IP, it's banned in your frontend, your API, your admin panel — instantly. No syncing, no deploys.
Stop credential stuffing at the edge
Per-IP rate limit on /login at, say, 10 req/min. The check happens before your app spends a single CPU cycle on bcrypt or a database lookup.
Geo-fence sensitive routes
Block /admin or /checkout from countries you don't operate in. We map IP → ISO country code at engine speed using a baked-in MaxMind-format database.
Lock internal endpoints behind a header
Require X-Internal-Token on /admin/* — easy to roll, easy to audit, no app-level code to maintain.
Time-window expensive operations
Only allow /export between 9 AM and 9 PM weekdays. Rules can be scheduled.
How it compares
| Approach | What you actually get | Hosted & stateless |
|---|---|---|
| Acrossed | Hosted, cryptographic, 1 SDK call. Sub-ms. Zero infra. | ✓ |
| nginx limit_req | Self-hosted. Per-instance state. No central rules. | — |
| Cloudflare WAF | Powerful but tied to Cloudflare's edge + opaque pricing. | — |
| Custom middleware | Months of work. Distributed state to coordinate. | — |