Open Source

Bungate — Lightning-Fast HTTP Gateway

Enterprise-grade HTTP gateway & load balancer built on Bun. TLS 1.3, JWT key rotation, 8+ load balancing strategies, and zero-config simplicity.

Get Started GitHub
18K+
Requests / second
<1ms
Routing Overhead
8+
LB Strategies
TLS 1.3
Enterprise Security
98.9%
Test Coverage
🚀
Microservices

API Gateway for Microservices

Route traffic to dozens of backend services with intelligent load balancing, JWT auth, and per-route rate limiting — all from a single config file.

const gateway = new BunGateway({ server: { port: 8080 }, cluster: { enabled: true, workers: 4 }, auth: { secret: process.env.JWT_SECRET }, cors: { origin: ['https://myapp.com'] }, }) gateway.addRoute({ pattern: '/users/*', target: 'http://user-svc:3001', rateLimit: { max: 100, windowMs: 60000 }, }) gateway.addRoute({ pattern: '/payments/*', target: 'http://pay-svc:3002', circuitBreaker: { enabled: true, failureThreshold: 3 }, })
🎯
Load Balancer

Intelligent Load Balancer with Health Checks

Distribute traffic across backend pools with 8+ strategies. Automatic health checks detect unhealthy targets and reroute traffic without dropping requests.

gateway.addRoute({ pattern: '/api/*', loadBalancer: { strategy: 'least-connections', targets: [ { url: 'http://api1:3000', weight: 3 }, { url: 'http://api2:3000', weight: 2 }, { url: 'http://api3:3000', weight: 1 }, ], healthCheck: { enabled: true, interval: 15000, path: '/health' }, stickySession: { enabled: true }, }, })
🔒
TLS Proxy

TLS Termination with Auto HTTP→HTTPS Redirect

Terminate TLS 1.3 at the edge with automatic certificate loading, strong cipher suites, and seamless HTTP-to-HTTPS redirection. Zero config beyond pointing at your cert files.

const gateway = new BunGateway({ server: { port: 443 }, security: { tls: { enabled: true, cert: './cert.pem', key: './key.pem', minVersion: 'TLSv1.3', redirectHTTP: true, redirectPort: 80, }, }, })
Cluster Mode

Multi-Process Cluster with Zero-Downtime Restarts

Scale horizontally across all CPU cores. Rolling restarts spawn replacements before stopping old workers — zero dropped connections during deployments.

const gateway = new BunGateway({ server: { port: 3000 }, cluster: { enabled: true, workers: 8, restartWorkers: true, shutdownTimeout: 30000, maxRestarts: 10, }, }) // Scale at runtime: kill -s SIGUSR2 <pid> → rolling restart // Increase workers: gateway.cluster.scaleTo(12)
🛡️
Edge Proxy

Secure Edge Proxy with Defense-in-Depth

Every request passes through TLS termination, input validation, JWT verification, and security headers — before reaching your backend. OWASP Top 10 covered by default.

const gateway = new BunGateway({ security: { tls: { enabled: true, cert: './cert.pem', key: './key.pem' }, jwtKeyRotation: { secrets: [{ key: process.env.JWT_NEW, kid: '2025-05', primary: true }], jwksUri: 'https://auth.example.com/.well-known/jwks.json', }, inputValidation: { blockedPatterns: [/\.\./, /%00/, /<script>/i], }, securityHeaders: { enabled: true }, }, })
use cases
Why Bungate

Built for developers who demand performance

A gateway that combines Bun's native speed with enterprise security — no compromises, no config overhead.

Bun-Native Performance

Optimized for Bun's runtime. 18K+ req/s, single-digit ms latency, sub-30ms p99 response times in production benchmarks against nginx and envoy.

🧠

Smart Load Balancing

Round-robin, least-connections, weighted, ip-hash, random, power-of-two-choices, latency, weighted-least-connections. Cookie-based sticky sessions.

🔒

Enterprise Security

TLS 1.3 with auto HTTP redirect, JWT key rotation with JWKS, input validation, CSRF protection, security headers, trusted proxy validation, OWASP Top 10 coverage.

TypeScript First

Complete type definitions for every API. IDE autocomplete, type safety, and inline documentation from bun add bungate to production.

🔧

Production Ready

Circuit breakers, health checks with configurable intervals, auto-failover, timeout management, cluster mode with zero-downtime rolling restarts. Built for reliability.

🎯

Zero Config

Works out of the box with sensible defaults. Get started in seconds — production-ready from day one with Prometheus metrics, structured logging, and health endpoints.

Get Started

Production-ready in seconds

Install, configure, deploy. A complete API gateway with load balancing, auth, and security — from a single file.

$ bun add bungate
// gateway.ts — production-ready in one file import { BunGateway } from 'bungate' const gateway = new BunGateway({ server: { port: 3000 }, cluster: { enabled: true, workers: 4 }, auth: { secret: process.env.JWT_SECRET }, metrics: { enabled: true }, }) gateway.addRoute({ pattern: '/api/*', loadBalancer: { strategy: 'least-connections', targets: [ { url: 'http://api1.example.com' }, { url: 'http://api2.example.com' }, ], healthCheck: { enabled: true, interval: 15000, path: '/health' }, }, circuitBreaker: { enabled: true, failureThreshold: 5 }, }) await gateway.listen() console.log('🚀 Bungate cluster running on :3000')
Enterprise Security

Battle-tested security defaults

Every request passes through a defense-in-depth pipeline — from TLS termination to JWT validation to input sanitization.

✓ TLS 1.3 ✓ HTTP→HTTPS Redirect ✓ JWT Key Rotation ✓ JWKS Auto-Refresh ✓ Input Validation ✓ XSS Prevention ✓ Path Traversal ✓ DoS Protection ✓ Security Headers ✓ CSRF Protection
// TLS 1.3 + JWT key rotation — zero-downtime const gateway = new BunGateway({ security: { tls: { enabled: true, cert: './cert.pem', key: './key.pem', minVersion: 'TLSv1.3', cipherSuites: ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'], redirectHTTP: true, }, jwtKeyRotation: { secrets: [ { key: process.env.JWT_NEW, kid: '2025-05', primary: true }, { key: process.env.JWT_OLD, kid: '2025-04', deprecated: true }, ], jwksUri: 'https://auth.example.com/.well-known/jwks.json', jwksRefreshInterval: 3600000, }, inputValidation: { maxPathLength: 2048, maxHeaderSize: 16384, blockedPatterns: [/\\.\\./, /%00/, /<script>/i], }, }, })
Security Coverage

Penetration tested. 803 tests. Zero failures.

Bungate underwent a comprehensive security audit in an isolated Docker environment. Every vulnerability found was fixed and verified before shipping. Here's the real data.

🛡

Pentest Verified

Full security audit with exploit simulation: double-encoding traversal, health check cascade DoS, X-Forwarded-For rate limit bypass, CORS evasion. All 4 vulnerabilities found and fixed.

Zero Regressions

Every security fix validated against the full 803-test suite. 633 to 803 tests during coverage improvement. Zero pre-existing tests broken by security patches.

🔬

Recursive Decode Engine

Custom recursiveDecodeURIComponent() defeats multi-layer encoding attacks (%252f to %2f to /). Two-pass validation: raw path then fully-decoded path.

98.97%
Line Coverage
94.55%
Function Coverage
803
Tests (44 files)
0
Failures
🔒 Input Validation FIXED

Double-encoding (%252f) and quad-dot traversal now defeated by recursive decode + two-pass validation + expanded blocked patterns.

Cascade Failure FIXED

Threshold-based health checks: 3 consecutive failures to mark unhealthy, 2 successes to recover. Min-healthy floor prevents complete cascade.

📈 Rate Limit Bypass FIXED

Rate limiter now keys on the gateway's getClientIP() via trusted proxy validator. X-Forwarded-For rotation no longer bypasses limits.

🌐 Error Handler FIXED

Global error handler properly catches exceptions. CORS preflight returns clean 204. No more stack trace or internal file path leakage.

Ready to ship faster?

Enterprise security, zero config. Install and deploy in minutes.

View on GitHub