Middleware Overview

Zinc middleware uses the same shape as a route handler, so it composes directly with apps, groups, and individual routes.

func(*zinc.Context) error

Import first-party middleware from one package:

import "github.com/0mjs/zinc/middleware"

Start with a normal stack

Most APIs start with request identity, logging, panic recovery, CORS, body limits, and security headers.

app.Use(middleware.RequestID())
app.Use(middleware.RequestLogger())
app.Use(middleware.Recover())
app.Use(middleware.CORS("https://app.example.com"))
app.Use(middleware.BodyLimit(10 * middleware.MB))
app.Use(middleware.Secure())

Add auth, metrics, rate limiting, compression, and static files only where the application needs them.

Security

Middleware	Use it for
`CORS`	Browser cross-origin policy and preflight responses
`CSRF`	Cookie-backed CSRF protection for browser-facing forms and fetch requests
`Secure`	Common browser security response headers
`Header Guards`	Reject unsupported content types or route by request headers

Authentication and sessions

Middleware	Use it for
`JWT`	Bearer token parsing, validation, and typed claims
`Basic Auth`	Simple admin or internal route protection
`Key Auth`	API keys from headers, query values, cookies, or custom extractors
`Casbin Auth`	Authorization through a Casbin-compatible enforcer
`Session`	Small signed cookie-backed session values

Observability

Middleware	Use it for
`Request Logger`	Structured request logs with status, timing, route, headers, and errors
`Request ID`	Generate or propagate request IDs through `X-Request-ID`
`Prometheus`	Dependency-free request counters and duration metrics
`Jaeger`	`Uber-Trace-Id` propagation and span observation
`Pprof`	Standard library profiling routes behind Zinc middleware
`Body Dump`	Request and response body snapshots for debugging or auditing

Traffic control

Middleware	Use it for
`Rate Limiter`	Token-bucket limits by app, IP, or custom key
`Body Limit`	Reject oversized request bodies
`Context Timeout`	Attach per-request deadlines to the handler chain
`Recover`	Convert panics into Zinc's normal error flow
`Utility`	`Throttle`, `Heartbeat`, `NoCache`, `Maybe`, `RealIP`, and `SetHeader`

Transport and routing helpers

Middleware	Use it for
`Gzip`	Compress responses for clients that accept gzip
`Decompress`	Decode gzip request bodies before handlers read them
`Method Override`	Tunnel `PUT`, `PATCH`, or `DELETE` through `POST`
`Trailing Slash`	Add, remove, or redirect trailing slash variants
`Rewrite`	Rewrite request paths before route dispatch
`Redirect`	Redirect exact or wildcard paths
`Proxy`	Reverse proxy requests with `net/http/httputil`
`Static`	Serve static files from middleware

Where middleware belongs

Use app-level middleware for behavior that should wrap every request.

app.Use(middleware.RequestID(), middleware.RequestLogger())

Use group middleware for a route family.

api := app.Group("/api")
api.Use(middleware.JWT(keyFunc))

Use route middleware when the behavior belongs to one endpoint.

app.Post("/exports", middleware.RateLimiter(), startExport)

Start with a normal stack​

Security​

Authentication and sessions​

Observability​

Traffic control​

Transport and routing helpers​

Where middleware belongs​

See also​