DropLock Guard — VS Code Extension
API security coverage for Express, Fastify, Koa, and Next.js.
Automatically discovers unprotected routes, shows what's missing, and generates fixes in one click.
Companion API: droplock/api.
Install
ext install droplock.guard
Or search DropLock Guard in the VS Code Extensions panel.
What it does
Opens a sidebar with four panels:
| Panel |
Description |
| Coverage |
Every API route colour-coded: covered / partial / unprotected |
| Violations |
Live feed of blocked requests from the DropLock SDK |
| Project Health |
14 workspace-wide checks: secrets, cookies, SQL injection, XSS |
| Settings |
Sign in, paste API key, toggle enforce/report mode |
Click any unprotected route → Generate Fix → middleware inserted at the correct line, streamed in real time.
Supported frameworks
| Framework |
Status |
| Express |
✅ Full |
| Next.js App Router |
✅ Full |
| Next.js Pages Router |
✅ Full |
| Fastify |
✅ Full |
| Koa |
✅ Full |
Auto-detected from package.json. No config needed.
Getting started
- Install the extension
- Open any Express/Next.js project folder
- The shield icon appears in the activity bar immediately
- Click unprotected routes to see what's missing
- Sign up at app.droplock.io to get Generate Fix credits
Generate Fix
Each account gets 3 free Generate Fix credits per month. Buy more at app.droplock.io/dashboard — credits never expire.
The fix is streamed character-by-character and inserted at the exact line of the route registration.
⚠️ After generating a fix: Always review the generated middleware using the Security Review Checklist before shipping to production. "Covered" means the middleware is present—not that it's correctly configured for your threat model.
For self-hosters
If you're running your own droplock/api instance, update the proxy URL in src/extension/generateFix.ts before packaging:
const PROXY_URL = 'https://YOUR_DOMAIN/api/generate-fix';
License
MIT © 2025 DropLock
