Skip to main content
Mizu provides a rich set of middlewares to handle common web application concerns. All middlewares follow these principles:
  • Zero external dependencies - Only uses Go standard library
  • Sensible defaults - Works out of the box
  • Options pattern - Fully configurable when needed
  • Concurrent safe - Safe for use across goroutines

​
Installation

Middlewares are included with Mizu. Import the specific middleware you need: 
import (
    "github.com/go-mizu/mizu"
    "github.com/go-mizu/mizu/middlewares/recover"
    "github.com/go-mizu/mizu/middlewares/requestid"
    "github.com/go-mizu/mizu/middlewares/timeout"
)

​
Quick Start

A typical production setup: 
package main

import (
    "time"

    "github.com/go-mizu/mizu"
    "github.com/go-mizu/mizu/middlewares/helmet"
    "github.com/go-mizu/mizu/middlewares/ratelimit"
    "github.com/go-mizu/mizu/middlewares/recover"
    "github.com/go-mizu/mizu/middlewares/requestid"
    "github.com/go-mizu/mizu/middlewares/timeout"
)

func main() {
    app := mizu.New()

    // Essential middlewares
    app.Use(recover.New())              // Panic recovery
    app.Use(requestid.New())            // Request tracing
    app.Use(timeout.New(30*time.Second)) // Request timeout
    app.Use(helmet.Default())           // Security headers
    app.Use(ratelimit.PerMinute(100))   // Rate limiting

    app.Get("/", func(c *mizu.Ctx) error {
        return c.Text(200, "Hello, World!")
    })

    app.Listen(":3000")
}

​
Categories

​
Authentication

Secure your endpoints with various authentication methods:
MiddlewareDescription
basicauthHTTP Basic Authentication
bearerauthBearer token authentication
keyauthAPI key authentication
csrfCross-Site Request Forgery protection
csrf2Enhanced CSRF with double submit
jwtJWT token authentication
oauth2OAuth 2.0 authentication flows
oidcOpenID Connect authentication

​
Security

Protect your application from common web vulnerabilities:
MiddlewareDescription
helmetSecurity headers (CSP, HSTS, etc.)
secureHTTPS enforcement and security features
ipfilterIP whitelist/blacklist
honeypotDetect and block malicious requests
captchaCAPTCHA verification (reCAPTCHA, hCaptcha, Turnstile)
corsCross-Origin Resource Sharing
cors2Enhanced CORS with preflight caching
rbacRole-based access control
signatureRequest signature verification

​
Rate Limiting & Resilience

Control request rates and protect against overload:
MiddlewareDescription
ratelimitToken bucket rate limiting
circuitbreakerCircuit breaker pattern
bulkheadBulkhead isolation pattern
throttleRequest throttling
concurrencyConcurrency limiting
adaptiveAdaptive rate limiting

​
Request Processing

Validate and transform incoming requests:
MiddlewareDescription
bodylimitLimit request body size
contenttypeValidate Content-Type
validatorRequest validation rules
headerHeader manipulation
methodoverrideHTTP method override
bodycloseAuto-close request body
bodydumpDump request/response bodies
requestsizeRequest size tracking
sanitizerInput sanitization
transformerRequest/response transformation
filterRequest filtering

​
Response Processing

Transform and enhance outgoing responses:
MiddlewareDescription
compressGzip/deflate compression
envelopeResponse envelope wrapper
responsesizeResponse size tracking
varyVary header management
errorpageCustom error pages
hypermediaHypermedia response helpers

​
Caching

Control HTTP caching behavior:
MiddlewareDescription
cacheSet Cache-Control headers
nocachePrevent caching
etagETag generation
lastmodifiedLast-Modified headers

​
URL Handling

Redirect and rewrite URLs:
MiddlewareDescription
redirectURL redirection (HTTPS, WWW)
slashTrailing slash handling
rewriteURL rewriting

​
Networking & Proxy

Handle proxy headers and reverse proxying:
MiddlewareDescription
proxyReverse proxy
forwardedX-Forwarded-* headers
realipExtract real client IP
h2cHTTP/2 cleartext support
surrogateCDN surrogate headers

​
Request Context

Enhance request handling:
MiddlewareDescription
requestidGenerate/propagate request IDs
timeoutRequest timeout
recoverPanic recovery
timingServer-Timing header
traceDistributed tracing context
conditionalConditional middleware execution

​
Real-time

Support real-time communication:
MiddlewareDescription
websocketWebSocket connections
sseServer-Sent Events

​
Static Files

Serve static content:
MiddlewareDescription
staticStatic file serving
spaSingle Page Application support
faviconFavicon serving
embedEmbedded filesystem serving

​
Operations & Monitoring

Tools for production operations:
MiddlewareDescription
versionAPI versioning
maintenanceMaintenance mode
pprofProfiling endpoints
healthcheckHealth check endpoints
metricsCustom metrics collection
prometheusPrometheus metrics endpoint
expvarExpvar metrics endpoint
loggerRequest logging
requestlogDetailed request logging
responselogResponse logging

​
Advanced

Specialized functionality:
MiddlewareDescription
featureFeature flags
multitenancyMulti-tenant support
chaosChaos engineering
mirrorRequest mirroring
fingerprintRequest fingerprinting
canaryCanary deployment routing
auditAudit logging
idempotencyIdempotency key handling
retryAutomatic request retries
hedgeHedged requests
fallbackFallback handlers
mockRequest mocking

​
Connection & Protocol

Connection and protocol handling:
MiddlewareDescription
keepaliveConnection keep-alive control
maxconnsMaximum connections limit
msgpackMessagePack handling
jsonrpcJSON-RPC protocol support
graphqlGraphQL request handling
xmlXML request/response handling

​
Internationalization

Locale and timezone handling:
MiddlewareDescription
languageLanguage detection
timezoneTimezone detection
nonceCryptographic nonce generation

​
External Integrations

Third-party service integrations:
MiddlewareDescription
otelOpenTelemetry integration
sentrySentry error tracking
sessionSession management

​
Bot & Client Detection

Client identification and validation:
MiddlewareDescription
botBot detection
xrequestedwithX-Requested-With validation

​
Usage Patterns

​
Global middleware

Apply to all routes: 
app.Use(recover.New())

​
Route-specific middleware

Apply to specific routes: 
app.Get("/admin", adminHandler, basicauth.New(credentials))

​
Group middleware

Apply to a group of routes: 
api := app.Group("/api")
api.Use(keyauth.New(validateKey))

api.Get("/users", listUsers)
api.Post("/users", createUser)

​
Conditional middleware

Skip middleware based on conditions: 
app.Use(ratelimit.WithOptions(ratelimit.Options{
    Rate:     100,
    Interval: time.Minute,
    Skip: func(c *mizu.Ctx) bool {
        return c.Request().URL.Path == "/health"
    },
}))

​
Best Practices

  1. Order matters - Place recover first to catch all panics
  2. Use timeouts - Always set request timeouts in production
  3. Rate limit - Protect public endpoints from abuse
  4. Security headers - Use helmet for recommended security headers
  5. Request IDs - Add requestid for tracing and debugging

​
Next Steps