What is Cordon by Codezero?
Cordon is a local Rust proxy that transparently intercepts outbound HTTP/HTTPS requests and injects API credentials from a secret store — 1Password or your OS keychain. Your applications never hold real secrets. They just make normal HTTP calls through the proxy.No secrets in environment variables
Environment variables leak into logs, crash dumps, child processes, and
ps output. Cordon injects credentials at the network layer instead.No code changes required
Set
HTTPS_PROXY and your existing HTTP client works. No additional SDKs, no secret-fetching boilerplate.Easy credential rotation
Rotate a secret in your secret store and restart the proxy. Your applications don’t change or restart.
Bring your own vaults
Integrate directly to native keychains, secrets managers and infrastructure you already invested in.
Why no environment variables?
Environment variables are the most common way to pass secrets to applications, but they have significant drawbacks:- Leak surface — env vars appear in
/proc/<pid>/environ,ps eww, crash dumps, error reporters, and CI logs - Inheritance — child processes inherit all env vars. A subprocess you didn’t write now has your API keys
- No audit trail — there’s no record of when an env var was read or by whom
- Rotation friction — changing a secret requires restarting all processes that use it
HTTPS_PROXY=http://127.0.0.1:6790 — a non-secret configuration value.
How it works
Your app connects normally
Your app makes a normal API call or database connection. Cordon sits in the middle, transparent to your application.
Cordon matches the route
Cordon checks the destination hostname against your configured routes in
cordon.yaml.Credentials are injected
Cordon injects the real credential from 1Password or the OS keyring. Your app doesn’t need to send any auth headers. Cordon adds them entirely. This works for HTTP APIs and database connections alike.
Installation
Install cordon via npm
Quickstart
Get up and running in minutes