Skip to content

Nine-Lives-Dev/ninelives-web-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
sveltekit
sveltekit
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package.json
package.json
 
 

Repository files navigation

@ninelives/web-guard

A tiny, framework-native edge guard for SvelteKit projects.

@ninelives/web-guard blocks common bot and scanner junk paths like .env, .php, wp-admin, and similar noise before they ever hit your app. No WAF. No heavy rules. Just clean, predictable behavior.

Built and maintained by Nine Lives Development.

🤔 Why this exists

Modern sites constantly receive automated requests for:

  • .env
  • .git
  • .php
  • /wp-admin
  • /wp-login.php
  • xmlrpc.php

If you're running SvelteKit on Vercel (or similar), these requests are harmless but noisy. They clutter logs, trigger SEO tool warnings, and waste cycles.

This package short-circuits those requests early and returns a dead end.

✨ Features

  • SvelteKit-native – Works seamlessly with SvelteKit hooks
  • Edge-ready – Runs at the edge before your app logic
  • Zero configuration – Works out of the box
  • Safe 404 responses – Returns clean 404s for blocked paths
  • SEO-friendly – No impact on real users or search engines
  • No dependencies – Lightweight and self-contained

📦 Installation

Using pnpm:

pnpm add github:nine-lives-dev/ninelives-web-guard

Or npm:

npm install github:nine-lives-dev/ninelives-web-guard

🚀 Usage

Basic Setup (SvelteKit)

Add to your src/hooks.server.js:

import { blockJunkPaths } from "@ninelives/web-guard/sveltekit";

export async function handle({ event, resolve }) {
    const blocked = blockJunkPaths(event);
    if (blocked) return blocked;

    return resolve(event);
}

That's it! The guard will now block common junk paths automatically.

Custom Configuration

Override the default blocked paths with your own list:

import { blockJunkPaths } from "@ninelives/web-guard/sveltekit";

export async function handle({ event, resolve }) {
    const blocked = blockJunkPaths(event, {
        blocked: [
            ".env",
            ".git",
            "wp-admin",
            "phpmyadmin",
            // Add your own patterns
            "custom-path",
            "another-pattern",
        ],
    });

    if (blocked) return blocked;

    return resolve(event);
}

🛡️ Default Blocked Patterns

The following patterns are blocked by default:

Environment & Config Files

  • .env, .git, .config, .aws, .ssh
  • config.php, configuration.php

WordPress

  • .php, wp-admin, wp-login, wp-content, wp-includes
  • xmlrpc.php, wp-config

Database Tools

  • phpmyadmin, pma, adminer, mysql, database

Admin Panels

  • cpanel, plesk, webmail

Common CMS

  • joomla, drupal, magento

Backup Files

  • .backup, .bak, .old, .sql, .dump

Server Files

  • phpinfo, cgi-bin, .asp, .aspx

Upload/File Managers

  • filemanager, tinymce, elfinder

API Docs/Testing

  • swagger, api-docs, .well-known/security.txt

All matching is case-insensitive and checks if the pathname contains any of these patterns.

📄 License

MIT © Nine Lives Development

🤝 Contributing

Issues and pull requests are welcome! Feel free to open an issue on GitHub.

Built by Nine Lives Development

About

Lightweight edge guard for SvelteKit projects that blocks common bot and scanner junk paths (.env, wp-admin, php, etc). Zero config, framework-native, and safe by default.

www.ninelives.dev/

Topics

security middleware edge vercel sveltekit bot-protection

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages