Security

Vault35.6k★

Vault is the industry standard for managing secrets: API keys, database passwords, encryption keys, anything that shouldn't live in environment variables or config files. It stores secrets, controls who can access them, rotates them automatically, encrypts data, and logs every access. It's a bank vault for your application secrets. built by HashiCorp. The most widely deployed secrets management tool in production infrastructure. The catch: HashiCorp relicensed Vault from MPL to BSL (Business Source License) in 2023. You can still self-host for free for your own use, but you cannot offer Vault as a managed service competing with HashiCorp. This triggered the OpenBao fork. Also, Vault is powerful but complex; setting up HA (high availability), configuring auth methods, managing policies, and operating the unsealing process requires real infrastructure knowledge. This is not a 'docker run and forget' tool.

Trivy34.9k★

Trivy scans everything in your stack for vulnerabilities: container images, filesystems, Git repos, Kubernetes configs, cloud infrastructure. Container images, filesystems, Git repos, Kubernetes clusters, AWS accounts, Terraform configs. One tool, one command, comprehensive results. It's a security X-ray machine. Point it at anything in your stack and it tells you what's vulnerable, misconfigured, or leaking secrets. It checks against multiple vulnerability databases and updates them automatically. Apache 2.0, backed by Aqua Security. The most popular open source security scanner in the container ecosystem. The catch: Trivy finds problems; it doesn't fix them. You'll get a list of CVEs and misconfigurations, and then it's on you to remediate. At scale, the volume of findings can be overwhelming without a management layer on top. Aqua's commercial platform provides that management layer, which is exactly the upsell.

Gitleaks26.8k★

It runs locally or in CI, checks every commit, and flags anything that looks like a credential. MIT license, Go. Fast. Scans entire repositories in seconds. Comes with 150+ built-in rules for common secret patterns: AWS keys, Stripe tokens, private keys, JWTs. You can add custom rules via a TOML config. Runs as a pre-commit hook or in GitHub Actions, GitLab CI, any pipeline. The CLI tool is fully free and open source. Gitleaks also offers a commercial SaaS product at gitleaks.io with team dashboards and centralized management, but the core scanner is the same. For solo developers and small teams: install it, add the pre-commit hook, done. Five minutes of setup, zero ongoing cost. Medium to large teams might want the commercial dashboard for visibility across repos. The catch: Gitleaks finds secrets, but it doesn't revoke them. When it flags a leaked AWS key, you still need to rotate it yourself. And regex-based detection means false positives happen; high-entropy strings in test fixtures will trigger alerts. You'll spend some time tuning your .gitleaks.toml allowlist.

Infisical26.7k★

Infisical manages your secrets: API keys, database passwords, environment variables, across all your projects and environments. It replaces scattered .env files with a central platform that has versioning, access control, audit logs, and native integrations with Kubernetes, Docker, and CI/CD pipelines. MIT-licensed, free to self-host. Docker Compose setup with Postgres and Redis. The web UI is genuinely good. CLI syncs secrets to local environments. Native Kubernetes operator handles pod injection. The setup is far less operationally complex than Vault, which is the point. Engineering teams with dozens of services and no secrets management discipline will get immediate value. The free self-hosted tier has no artificial limits. Infisical Cloud starts at around 6 USD/month per user for those who want managed hosting. The catch: for teams that need the full Vault feature set (PKI, dynamic secrets, hardware security modules), Infisical does not cover it. It is the right tool for application secrets; it is not a full secret engine.

TruffleHog26.1k★

TruffleHog finds leaked secrets in your code (API keys, passwords, tokens) and verifies whether they're actually live and valid. That's the key difference from other secret scanners. Instead of flagging every high-entropy string, TruffleHog checks if that AWS key still works, if that Slack token is active, if that database password connects. AGPL v3, Go. Scans Git repos, GitHub/GitLab orgs, S3 buckets, Docker images, and filesystems. 800+ credential detectors with built-in verification. The CLI is fast and the output tells you exactly which secrets are verified-active vs. unverified. The open source CLI is free under AGPL. TruffleSecurity offers an Enterprise platform with a dashboard, API, team management, and continuous monitoring. Pricing is custom. For solo developers and small teams: the CLI is everything you need. Run it on your repos, pipe it into CI, done. Medium teams: the CLI still works, but the Enterprise dashboard adds visibility. Large teams: Enterprise for org-wide scanning and compliance reporting. The catch: AGPL license. If you're building a product that incorporates TruffleHog, the copyleft terms require you to open source your code. For internal use it doesn't matter, but SaaS products need to be careful. Also, verification means TruffleHog actually attempts to authenticate with found credentials. In rare cases, this could trigger rate limits or account lockouts on the service being tested.

SOPS21.7k★

SOPS encrypts secret values in your config files while leaving field names in plain text, so you can safely store secrets in git. You can see that a file has a `database_password` field, but the value is encrypted gibberish until you decrypt it. This is elegant because your secrets live in version control alongside your code. No separate secrets server, no external service, no extra infrastructure. The encrypted files are diffable in git. You can see that someone changed the database password even though you can't read the new value. SOPS supports AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, and age (a simple file-based key) for encryption. It works with YAML, JSON, ENV, and INI files. The workflow: edit the file with `sops secrets.yaml`, it decrypts in your editor, you make changes, it re-encrypts on save. The catch: SOPS is for storing secrets, not managing access to them. There's no audit log of who accessed what, no dynamic credential rotation, no fine-grained permissions. For a team of 3 sharing a dozen secrets, SOPS is perfect. For a team of 50 with compliance requirements, you need Vault. Also, key management is on you; if you lose your encryption key and don't have KMS, your secrets are gone forever.

SafeLine21.3k★

SafeLine is a web application firewall (WAF) that sits in front of your servers and filters malicious requests: SQL injection, XSS, bot traffic, credential stuffing. It's a bouncer for your web traffic that inspects every request before it reaches your app. GPL v3, Go. Uses a semantic analysis engine (not just regex pattern matching) to detect attacks, which means lower false positives than traditional WAFs. Dashboard shows traffic stats, blocked threats, and lets you configure rules. Supports reverse proxy mode. Drop it in front of Nginx or any web server. The community edition is free. Docker install, configure your upstream servers, and it's running. Basic WAF protection, bot detection, rate limiting, and IP blocking included. A pro/enterprise version exists with advanced features like enhanced bot protection, API security, and priority support. Pricing isn't publicly listed. Contact sales. Solo developers: free community edition is solid for protecting personal projects and small apps. Small teams: free edition handles most threats. Medium to large: evaluate the pro version for advanced bot protection and API security, or consider Cloudflare WAF if you're already using their CDN. The catch: you're adding another hop in your request chain. Latency increases slightly. The community edition's rule set is less comprehensive than Cloudflare or AWS WAF. And the GPL v3 license means modifications must be open-sourced, which matters if you're integrating it deeply into proprietary infrastructure.

CrowdSec13.3k★

CrowdSec analyzes your server logs, detects attack patterns, and shares threat intelligence with the community. Basically fail2ban on steroids with a global blocklist that everyone contributes to. MIT license, Go. It reads your logs (Nginx, SSH, WordPress, anything), detects attack patterns using community-written scenarios, and takes action: blocking IPs via your firewall, Cloudflare, AWS Security Groups, or a dozen other bouncers. The crowd-sourced threat intelligence means an IP that attacks someone else gets flagged before it hits you. Free tier: the Security Engine (detection + local decisions) is fully free. The community blocklist (crowd-sourced IP reputation) is free. Self-host everything. Paid: CrowdSec Console premium starts around $20/mo per server for advanced dashboards, custom blocklists, and priority threat feeds. Enterprise pricing is custom. Solo: install the free tier on your VPS, block 90% of automated attacks for $0. Small teams (2-10): free tier covers most needs. Pay $20/server/month when you want centralized dashboards across multiple servers. Large teams: enterprise plan for fleet management and custom threat feeds. The catch: CrowdSec depends on accurate log parsing. If your app logs in a non-standard format, you'll write custom parsers. And the community blocklist, while useful, can produce false positives. A shared hosting IP getting flagged because of one bad tenant affects everyone on that IP.

Falco8.9k★

Falco monitors Linux system calls in real time and alerts you when something unexpected happens: a container spawning a shell, a process reading sensitive files, a network connection to an unusual destination. It's a security camera for your Linux kernel. It sees everything a process does because it hooks into the kernel via eBPF. The open source version is free under Apache 2.0. CNCF graduated project. You get real-time threat detection, a rich rule engine, hundreds of pre-built rules for common attack patterns, and output to any alerting system (Slack, PagerDuty, syslog, etc.). Sysdig (the company that created Falco) sells Sysdig Secure, which adds a management UI, compliance dashboards, image scanning, and enterprise support. That's the commercial product. Falco itself has no enterprise tier. Self-hosting is the only option. Install Falco on each host or as a DaemonSet in Kubernetes. The eBPF probe needs a kernel that supports it (5.8+ for best results). Initial setup is straightforward; tuning the rules to reduce false positives is where the real work starts. Solo developers: overkill unless you're running production containers with sensitive data. Small teams: install it on your Kubernetes cluster and configure Slack alerts. Cheap insurance. Growing teams: essential. Runtime security detection is a gap most teams don't fill until something bad happens. The catch: out-of-the-box rules are noisy. You'll get alerts for normal container behavior until you tune the rules for your environment. Budget a few days for tuning, or you'll learn to ignore the alerts, which defeats the purpose.

maltrail8.4k★

Maltrail watches network traffic for connections to known malicious destinations. It pulls public threat feeds (known C2 servers, malware domains, abuse lists) and alerts when a host on your network talks to one of them. Free, MIT-licensed. Setup is moderate. You point it at a network interface or feed it aggregated traffic from your firewall, and let it analyze passively. The web UI shows alerts grouped by severity. Tune the feeds for your environment because public lists generate false positives, especially around shared CDN ranges. For homelabs, small SOCs, and security-conscious dev teams, this is a real tool. It's not a full IDS. Suricata or Zeek do deeper packet inspection. But it answers the simple question: is anything on my network calling out to a known bad place. That's useful even if you also run something heavier. The catch is that it only catches what's already on a public blacklist. Targeted attacks using fresh infrastructure won't trip it. Treat it as one signal in a layered defense, not the whole defense.

cloudquery6.4k★

CloudQuery syncs cloud configuration data into your data warehouse so you can query it with SQL. Pull from AWS, Azure, GCP, and 70+ SaaS sources, land it in Postgres, Snowflake, BigQuery, or whatever you run. Build cloud asset inventory, CSPM, FinOps, or vulnerability dashboards on top of clean tables. Run it as a CLI or scheduled job; pick a source and a destination, and CloudQuery handles the sync. Your cloud data never touches CloudQuery's servers, which matters if you're regulated. The plugin model is the differentiator vs Steampipe, which is more SQL-native and proxy-style. Pick this if you want to own your security data layer and run BI queries against it. Solo and small teams self-hosting get most of what Wiz and Lacework charge for, minus the UI polish and curated rule packs. Large teams might pay for premium plugins or the cloud version; the math is whether plugin maintenance time beats per-source cost. The catch: dashboards aren't included. You build security and FinOps views yourself in Grafana, Metabase, or Superset. If you want a turnkey security console with alerts pre-configured, you're paying Wiz.

Passbolt5.9k★

Passbolt is a password manager built for teams, with end-to-end encryption and user-owned secret keys. The Community Edition gives you password management, shared folders, browser extensions, mobile apps, CLI access, and 2FA. No user limits, no password limits. Self-hosting runs on PHP with MySQL or PostgreSQL. Docker and VM appliance options are available. The setup is straightforward, and the security model is solid: regular third-party audits with published findings. Ongoing maintenance is light if you keep PHP and the database healthy. Solo and small teams get a capable password manager for free. Once you need LDAP provisioning, SSO (Microsoft, Google, OpenID), or audit logging, you are looking at the Business tier at $4.90/user/month (minimum 10 users). That is a fair paywall. SSO and audit logs are enterprise features that cost real money to build. The catch: the 10-user minimum on the Business plan means small teams pay $49/month even if they only have 3 people who need SSO. If that pricing math does not work, Vaultwarden covers similar ground with a lighter footprint.

Modlishka5.3k★

Mitmproxy intercepts, inspects, and modifies HTTP/HTTPS traffic between your applications and the internet in real time. It's a tool that demonstrates why SMS and TOTP-based 2FA aren't as secure as people think. Fully free. No paid tier. This is a security research tool, not a commercial product. Set it up, point it at a target domain, and it automatically mirrors the real site while capturing everything the user types, including one-time 2FA codes. The catch: this is a double-edged sword. It's designed for authorized penetration testing only. Using it against targets without permission is illegal. The project hasn't been actively maintained, and modern phishing-resistant methods like WebAuthn/passkeys defeat it entirely. If you're a defender, this tool shows you exactly why you should be pushing your org toward hardware security keys instead of SMS codes.

leak-check3.9k★

A personal information leak detection tool that checks whether your email, phone, or other personal data has been exposed in known data breaches. An open source alternative to HaveIBeenPwned that you can run yourself. The interface is in Chinese, built for the Chinese developer community. It queries breach databases to find matches against your personal identifiers and reports what was exposed and when. The catch: the breach databases it checks may not cover all sources. HaveIBeenPwned has broader coverage of international breaches. Running your own leak checker means you trust the data sources it queries, and those sources vary in reliability. If you just need a quick check, HaveIBeenPwned is more comprehensive. This tool is better if you want to run checks programmatically or self-host the capability.

teller3.2k★

Teller unifies them behind one CLI and one config file. It's a secrets multiplexer. Map your environment variables to any combination of secret stores, and Teller fetches them at runtime. `teller run, node app.js` injects secrets into your process without them ever touching disk. It also syncs between providers: pull from Vault, push to AWS, or vice versa. Apache 2.0, written in Rust. No paid tier, no cloud version. The catch: Teller solves a real problem but it's a niche one. If you only use one secrets manager, you don't need it. Just use that provider's SDK. The value shows up when you have secrets scattered across 3+ providers and need one workflow. The community is small and the tool is emerging. Don't bet critical infrastructure on it without evaluating the bus factor. For a more established approach, look at how Infisical or HashiCorp Vault handle multi-source aggregation.

METATRON2.8k★

METATRON runs penetration tests with a local LLM doing the analysis. Point it at a target and it executes nmap, nikto, whois, and other standard security scans, then feeds the results to an LLM running on your machine for vulnerability assessment and exploit suggestions. Everything stays local, nothing hits the cloud. Built specifically for Parrot OS (a Linux pen-testing distro), it stores findings in MariaDB and exports reports as PDF or HTML. The LLM integration means you get natural language explanations of scan results instead of parsing raw nmap output yourself. It's essentially a security analyst copilot that runs offline. Security professionals and pen-testers who want AI assistance without sending scan data to external APIs get the most out of this. Students learning security will appreciate the explanations. Experienced red teamers might find the tool suggestions basic compared to their existing workflow. The catch: Parrot OS only, which limits the audience significantly. The local LLM quality depends entirely on your hardware, and smaller models give vague or wrong security advice.

nono2.3k★

Nono provides that. It's a capability-based sandbox where you explicitly grant each permission an agent gets. Basically, it's a bouncer for your operating system: the agent only gets through the doors you open. Capability-based means instead of blocking bad things (which requires knowing all bad things), you whitelist good things. The agent can only access files, network, and system calls you explicitly allow. Everything else is denied at the kernel level. Apache 2.0 licensed, Rust. The catch: kernel-level enforcement means Linux only, no macOS, no Windows. The capability model requires you to think carefully about what permissions each agent needs, which is more work upfront than just running Docker. And the documentation and community support are thin.

zeroboot2.3k★

Zeroboot spins up virtual machine sandboxes in under a millisecond using copy-on-write forking. That speed matters because agents need to spin up and tear down environments constantly, and traditional VMs take seconds to minutes. Sub-millisecond means your agent can create a fresh isolated environment for every single command it runs. No leftover state, no risk of one task contaminating another. It's like giving your agent a brand new computer for every action. Apache 2.0 licensed, Rust. The catch: this is Linux-only (it relies on kernel-level VM features). No macOS, no Windows. The sub-millisecond claim is for the VM fork. Actual workload startup depends on what you're running inside. And the community is small. If you hit an edge case, you're likely on your own.

deepsec2.0k★

Deepsec is a security scanner that pays AI agents to find vulnerabilities the way a human auditor would. You point it at your repo, the agent reads the codebase, and it reports back with the kind of bugs that pattern-match scanners miss. The scan can cost thousands of dollars on a large codebase because it runs frontier models at maximum thinking depth. Apache 2.0, by Vercel Labs. Setup is `npx deepsec init` and a coding agent prompt to populate a project info file. From there, scans fan out across worker machines (or Vercel Sandbox microVMs for distributed runs). Jobs are idempotent, so an interrupted scan picks up where it left off. The model bill flows through Vercel AI Gateway or your own provider keys. Solo developers: probably overkill, and the model bill scares away curiosity scans. Use Snyk's free tier or Semgrep instead. Small teams shipping high-stakes code: a one-time scan of your auth layer or payment flow is in budget and finds real bugs. Large teams with security budgets: this is what you spend $30K on instead of a security consultant. The catch: the cost. A scan of a 100K-line monorepo with frontier models is real money. Read the FAQ before you launch one.

ggshield1.9k★

Ggshield catches that before it reaches your remote repository. It scans your commits for secrets (API keys, passwords, certificates, private keys) and blocks the push if it finds any. Picture a pre-commit hook that prevents your worst 'oh no' moments. MIT license, Python CLI. Runs as a Git hook, in CI/CD pipelines, or as a standalone scanner. Uses GitGuardian's detection engine which recognizes 400+ types of secrets. Also scans for infrastructure-as-code misconfigurations (Terraform, CloudFormation, Kubernetes). The free tier covers individual developers: unlimited local scanning, up to 25 developers on GitGuardian's platform with basic features. Paid plans start at $60/developer/month for teams, which adds historical scanning, dashboards, incident management, and remediation workflows. Solo developers: free and you should install it today. There's no reason not to have secret detection in your Git hooks. Small teams (2-25): free tier covers you. Growing teams: $60/dev/mo adds value when you need historical scanning and incident workflows. Large orgs: enterprise pricing for SAML SSO, custom detectors, and API access. The catch: the real power is in GitGuardian's cloud platform, not just the CLI. The free CLI scans current commits, but finding secrets already buried in your Git history requires the paid platform. TruffleHog and Gitleaks are fully free alternatives that scan history locally, less polished, but no per-developer pricing.

for-open-source1.9k★

This is not a tool you install. It's 1Password's program that gives free team accounts to open source projects. If you maintain an open source project and need to share API keys, deployment credentials, or service passwords with contributors, this gets you a 1Password Teams account at no cost. The application is straightforward: submit your open source project, demonstrate active maintenance, and 1Password provides a free team account with all the premium features: shared vaults, access controls, and the 1Password CLI for CI/CD integration. This matters because open source projects constantly struggle with credential management. Sharing secrets over Discord DMs or unencrypted emails is how breaches happen. A proper password manager with team vaults is the right answer. The catch: this is a proprietary product offered for free, not open source software. 1Password itself is closed-source. If 1Password changes or ends this program, you'd need to migrate. And the free tier is specifically for open source teams; your startup or side business doesn't qualify. For an actually open source password manager, Vaultwarden (self-hosted Bitwarden) is the alternative. It's more work to set up but you own everything.

darksword-kexploit1.3k★

This is the DarkSword kernel exploit reimplemented in clean Objective-C. It targets iOS 15.0 through 26.0.1 and provides arbitrary kernel read/write, the foundation for jailbreaks, security research, and vulnerability analysis. The original DarkSword exploit chain was used by commercial surveillance vendors targeting multiple countries before being leaked publicly. This reimplementation by opa334 (a well-known jailbreak developer) makes it accessible to researchers in clean, readable code rather than the obfuscated original. No license specified. The catch: this is a kernel exploit. The security implications are real. Apple has patched this in newer iOS versions, so it only affects devices that haven't updated. Using this for anything other than security research or personal device modification puts you in legal and ethical gray areas. No license means no explicit permission to use or modify. And if you're not already deep in iOS internals, the code won't teach you much without significant background knowledge.

eth-phishing-detect1.3k★

This is MetaMask's phishing detection library. It maintains a blocklist of known phishing domains targeting crypto users and a fuzzy-matching algorithm that catches typosquatting attempts. You feed it a domain, it tells you if it's a known phishing site or looks suspiciously similar to a legitimate one. MetaMask uses it internally to warn users before they connect their wallet to a malicious site. The library itself is simple; it's the maintained blocklist that's valuable. Community-contributed and regularly updated as new phishing campaigns appear. The catch: this is narrowly focused on Web3/crypto phishing. It won't help with general phishing detection. The blocklist is only as current as the last update; zero-day phishing domains won't be caught until someone reports them. And the license is listed as 'Other'; check the repo for exact terms before integrating commercially.

vault-guides1.1k★

This isn't HashiCorp Vault itself; it's the official collection of example code and tutorials for learning Vault. If you're trying to figure out how to store API keys, database passwords, or encryption keys securely, these guides walk you through Vault's features with working code examples. Vault is a secrets management tool: instead of hardcoding passwords in environment variables or config files, your applications request secrets from Vault at runtime. Vault can also generate temporary database credentials, encrypt data, and manage PKI certificates. It's the industry standard for secrets management at scale. The guides cover identity management, secrets engines, encryption as a service, governance policies, and operational patterns. Examples in Shell, Python, Ruby, and Terraform. Useful for getting started but increasingly dated; some guides reference older Vault versions. Vault itself is source-available (BSL license). The open source fork is OpenBao. HCP Vault (managed cloud) starts at $0.03/hr (~$22/mo) for a small cluster. The catch: these are learning guides, not the tool. If you need Vault, go to the main vault repo. And Vault itself is complex; it's designed for organizations with real compliance requirements. For a solo developer or small team, SOPS or doppler.com handles secrets management with 10% of the complexity.

HacxGPT921★

This tool claims to be a GPT-based hacking/security tool. MIT license, Python-based. The homepage URL points to python.org (not a real project page), and the description is blank. Let me be direct: this has every hallmark of a star-farmed or spam repository. Blank description, generic homepage pointing to python.org, unknown provenance, and a name designed to attract clicks from people searching for 'hacking tools.' The GitHub profile and commit history should be scrutinized before running any code from this repo. If you're looking for legitimate security testing tools, look at the alternatives below. Do not run unknown Python scripts from suspicious repositories on your machine. The catch: everything about this. Don't use it.

littlesnitch-linux827★

Objective Development open-sourced the eBPF networking components behind Little Snitch, their macOS firewall, and brought them to Linux. This gives you kernel-level control over outbound network connections: monitor what your system talks to and block what you don't want. Setup is developer-grade. You need Rust, clang, and bpf-linker to build from source. Traffic filtering works through plain text blocklists (domains and hosts), and the web UI is minimal. This is not a consumer product yet. It's the engine room, published for people who know what eBPF is and why they want it. Security-conscious developers and sysadmins running Linux workstations are the audience. Anyone who wants kernel-level visibility into every outbound connection, and is comfortable building Rust projects, will feel right at home. The catch: GPL-2.0 covers the open source parts, but some components remain proprietary. No GUI to speak of, manual blocklist management, and the build process will filter out anyone who isn't already comfortable in a terminal.

fence719★

Fence sandboxes them without containers. It restricts network access and filesystem access at the OS level, so a rogue script can't phone home or delete your files. What's free: Everything. Apache 2.0 license. Single Go binary, no dependencies, no account. The value proposition is simplicity. Docker gives you isolation but requires the Docker daemon, images, and significant overhead. Fence is one binary. Run `fence <command>` and it executes with network and filesystem restrictions. That's it. For AI agent sandboxing, where you're running LLM-generated code and need guardrails, this is exactly the right weight class. The catch: it's brand new and early-stage. Linux only (uses kernel namespaces and seccomp). No macOS or Windows support. The security model is narrower than a full container. It restricts network and filesystem but doesn't provide complete process isolation. For high-security use cases, you still want containers or VMs. For 'don't let this script access the internet or my home directory,' it's perfect.

VaultSharp540★

VaultSharp is the .NET client library for HashiCorp Vault. Instead of making raw HTTP calls to Vault's API, you get typed methods and objects. Apache 2.0, C#. Covers the full Vault API: secret engines (KV, Transit, PKI, databases), auth methods (AppRole, Token, LDAP, Kubernetes), and system operations. Supports both Vault Community and Enterprise features. Fully free. This is a client library: no hosting, no service, no paid tier. NuGet install and use. The catch: this is a niche library for a specific integration. You need HashiCorp Vault already running (which has its own cost and ops story). VaultSharp just makes talking to it from C# easier. If you're not in the .NET ecosystem, this isn't relevant. If you are, it's essentially the only maintained Vault client for C#, so the choice is this or raw HTTP. At, the community is small, don't expect instant answers to edge case questions.