Vaulty is an HTTP reverse and forward proxy that performs the modification (encrypt, mask, tokenize) of the request and response bodies on the fly.
Vaulty can be used for the following:
- Anonymize data before it reaches your APIs and backends
- Get encryption/decryption for your APIs without changing a line of code
- Provide filtered data for a specific group of users like support staff, etc.
- Tokenize credit cards, SSNs, etc. for companies that are PCI compliant
- Encrypt your customers' data when you import this data from 3d party services (access tokens, PII, etc.)
Currently you can play with Vaulty, think about how you would like to use it, and share your ideas and feedback so we can make it work for you. It's not ready for production yet.
Routes are the heart of the Vaulty. Routes describe when and how Vaulty should perform transformations. Currently, Vaulty identifies routes based on the HTTP requests’ properties, such as path and method. When you run Vaulty it needs to load information about routes. Let's look at the routes file with the transformations:
In the routes section we describe one inbound route for POST requests with /cards path. Body of such requests will be transformed as follows:
- the element of JSON request body card.number will be tokenized
- the element of JSON request body card.cvc will be tokenized
Transformed body will be sent to the specified upstream: https://api.backend.in
The outbound route in this file performs the opposite. In requests that go to https://api.stripe.com/v1/tokens Vaulty replaces elements of JSON request body such as card.number and card.cvc with their original values and pass the resulting JSON to the destination.