{"id":15285382,"url":"https://github.com/aikidosec/firewall-node","last_synced_at":"2026-04-02T11:58:07.542Z","repository":{"id":232185288,"uuid":"746604687","full_name":"AikidoSec/firewall-node","owner":"AikidoSec","description":"Zen protects your Node app against attacks with one line of code. Get peace of mindβ€” at runtime.","archived":false,"fork":false,"pushed_at":"2025-04-04T15:11:04.000Z","size":9079,"stargazers_count":58,"open_issues_count":26,"forks_count":6,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-05T02:04:21.317Z","etag":null,"topics":["attack-defense","firewall","nodejs","nosql-injection","path-traversal","rasp","security","shell-injection","sql-injection"],"latest_commit_sha":null,"homepage":"http://aikido.dev/zen","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AikidoSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-22T10:45:55.000Z","updated_at":"2025-04-03T16:24:24.000Z","dependencies_parsed_at":"2024-04-15T09:47:32.359Z","dependency_job_id":"8c4ff63a-710f-445e-b4bd-591a10188659","html_url":"https://github.com/AikidoSec/firewall-node","commit_stats":{"total_commits":1762,"total_committers":15,"mean_commits":"117.46666666666667","dds":0.3433598183881952,"last_synced_commit":"27ee22df1be4426fcd87965a768d14b99bffcc93"},"previous_names":["aikidosec/runtime-node","aikidosec/firewall-node"],"tags_count":118,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AikidoSec%2Ffirewall-node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AikidoSec%2Ffirewall-node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AikidoSec%2Ffirewall-node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AikidoSec%2Ffirewall-node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AikidoSec","download_url":"https://codeload.github.com/AikidoSec/firewall-node/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247276163,"owners_count":20912288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-defense","firewall","nodejs","nosql-injection","path-traversal","rasp","security","shell-injection","sql-injection"],"created_at":"2024-09-30T15:04:29.852Z","updated_at":"2026-04-02T11:58:07.531Z","avatar_url":"https://github.com/AikidoSec.png","language":"TypeScript","readme":"![Zen by Aikido for Node.js](./docs/banner.svg)\n\n# Zen, in-app firewall for Node.js | by Aikido\n\n[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall)\n[![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square\u0026token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node)\n[![NPM License](https://img.shields.io/npm/l/%40aikidosec%2Ffirewall?style=flat-square)](https://github.com/AikidoSec/firewall-node/blob/main/LICENSE)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)\n[![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml)\n[![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml)\n\nZen, your in-app firewall for peace of mind– at runtime.\n\nZen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks.\n\nIt protects your Node.js apps by scanning user input and where that data eventually flows to, allowing Zen to more accurately block SQL Injections, Path traversal attacks, and more. It runs on the same server as your Node.js app for simple [installation](#installation) and zero maintenance.\n\n## Features\n\nZen will autonomously protect your Node.js applications against:\n\n- πŸ›‘οΈ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)\n- πŸ›‘οΈ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)\n- πŸ›‘οΈ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)\n- πŸ›‘οΈ [Prototype pollution](./docs/prototype-pollution.md)\n- πŸ›‘οΈ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)\n- πŸ›‘οΈ [Server-side request forgery (SSRF)](./docs/ssrf.md)\n- πŸ›‘οΈ [Attack wave detection](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)\n- πŸ›‘οΈ JS injection\n- πŸ›‘οΈ [IDOR attacks](./docs/idor-protection.md) (opt-in, see setup guide)\n\nZen operates autonomously on the same server as your Node.js app to:\n\n- βœ… Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.\n- βœ… Auto-generate API specifications\n- βœ… Block known threat actors and bots.\n- βœ… Geo-fencing to block or allow a selection of countries\n- βœ… Rate limit specific API endpoints by IP or by user\n- βœ… Allows you to block specific users manually\n\n## Supported libraries and frameworks\n\nZen for Node.js 16+ is compatible with:\n\n### Web frameworks\n\n- βœ… [Express](docs/express.md) 4.x, 5.x\n- βœ… [Hono](docs/hono.md) 4.x\n- βœ… [hapi](docs/hapi.md) 21.x\n- βœ… [micro](docs/micro.md) 10.x\n- βœ… [Next.js](docs/next.md) 12.x, 13.x and 14.x\n- βœ… [Fastify](docs/fastify.md) 4.x and 5.x\n- βœ… [Koa](docs/koa.md) 3.x and 2.x\n- βœ… [NestJS](docs/nestjs.md) 10.x and 11.x\n- βœ… [Restify](docs/restify.md) 11.x, 10.x, 9.x and 8.x\n\n### Database drivers\n\n- βœ… [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x, 6.x and 7.x _(npm package versions, not MongoDB server versions)_\n- βœ… [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x\n- βœ… [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x\n- βœ… [`mysql`](https://www.npmjs.com/package/mysql) 2.x\n- βœ… [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x\n- βœ… [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x (3.5+ requires ESM instrumentation)\n- βœ… [`sqlite3`](https://www.npmjs.com/package/sqlite3) 6.x and 5.x\n- βœ… [`node:sqlite`](https://nodejs.org/api/sqlite.html)\n- βœ… [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 12.x, 11.x, 10.x, 9.x and 8.x\n- βœ… [`postgres`](https://www.npmjs.com/package/postgres) 3.x\n- βœ… [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x\n- βœ… [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x\n\n### Cloud providers\n\n- βœ… [`@google-cloud/functions-framework`](https://www.npmjs.com/package/@google-cloud/functions-framework) 5.x, 4.x and 3.x\n- βœ… [`@google-cloud/pubsub`](https://www.npmjs.com/package/@google-cloud/pubsub) 5.x, 4.x\n- βœ… Google Cloud Functions\n- βœ… AWS Lambda\n\n### ORMs and query builders\n\nSee list above for supported database drivers.\n\n- βœ… [`sequelize`](https://www.npmjs.com/package/sequelize)\n- βœ… [`knex`](https://www.npmjs.com/package/knex)\n- βœ… [`typeorm`](https://www.npmjs.com/package/typeorm)\n- βœ… [`bookshelf`](https://www.npmjs.com/package/bookshelf)\n- βœ… [`drizzle-orm`](https://www.npmjs.com/package/drizzle-orm)\n- βœ… [`kysely`](https://www.npmjs.com/package/kysely)\n\n### API tools\n\n- βœ… [`graphql`](https://www.npmjs.com/package/graphql) 15.x, 16.x\n\n### Data serialization tools\n\n- βœ… [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18\n- βœ… [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x\n- βœ… [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x\n\n### Shell tools\n\n- βœ… [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x\n\n### Routers\n\n- βœ… [`@koa/router`](https://www.npmjs.com/package/@koa/router) 14.x, 13.x, 12.x, 11.x and 10.x\n\n### AI SDKs\n\nZen instruments the following AI SDKs to track which models are used and how many tokens are consumed, allowing you to monitor your AI usage and costs:\n\n- βœ… [`openai`](https://www.npmjs.com/package/openai) 6.x, 5.x, 4.x\n- βœ… [`@mistralai/mistralai`](https://www.npmjs.com/package/@mistralai/mistralai) 1.x\n- βœ… [`@anthropic-ai/sdk`](https://www.npmjs.com/package/@anthropic-ai/sdk) ^0.40.x\n- βœ… [`@aws-sdk/client-bedrock-runtime`](https://www.npmjs.com/package/@aws-sdk/client-bedrock-runtime) 3.x\n- βœ… [`ai`](https://www.npmjs.com/package/ai) 6.x, 5.x, 4.x\n- βœ… [`@google/genai`](https://www.npmjs.com/package/@google/genai) ^1.6.0\n\n_Note: Prompt injection attacks are currently not covered by Zen._\n\n## Installation\n\nWe recommend testing Zen locally or on staging before deploying to production.\n\n```shell\n# The --save-exact makes sure that you don't automatically install a newer version\n$ npm install --save-exact @aikidosec/firewall\n\n# The --exact makes sure that you don't automatically install a newer version\n$ yarn add --exact @aikidosec/firewall\n```\n\nFor framework- and provider- specific instructions, check out our docs:\n\n- [Express](docs/express.md)\n- [Fastify](docs/fastify.md)\n- [Hapi](docs/hapi.md)\n- [Koa](docs/koa.md)\n- [Hono](docs/hono.md)\n- [NestJS](docs/nestjs.md)\n- [micro](docs/micro.md)\n- [Next.js](docs/next.md)\n- [Restify](docs/restify.md)\n- [AWS Lambda](docs/lambda.md)\n- [Google Cloud Functions](docs/cloud-functions.md)\n- [Google Cloud Pub/Sub](docs/pubsub.md)\n\n\u003e [!NOTE]\n\u003e Many TypeScript projects use `import` syntax but still compile to CommonJS β€” in that case, the setup in the framework docs above works as-is. If your app runs as **native ESM** at runtime (e.g. `\"type\": \"module\"` in package.json), see [ESM setup](docs/esm.md) for additional steps.\n\n## Guides\n\n- [Troubleshooting](docs/troubleshooting.md) β€” common issues and how to debug Zen\n- [ESM support](docs/esm.md) β€” setup for native ECMAScript module apps\n- [Bundlers](docs/bundler.md) β€” using Zen with esbuild and other bundlers\n- [Proxy / IP headers](docs/proxy.md) β€” configure client IP detection behind load balancers\n- [Set the current user](docs/user.md) β€” identify users for rate limiting, blocking, and attack reports\n- [IDOR protection](docs/idor-protection.md) β€” prevent data leaks in multi-tenant apps\n\n## Reporting to your Aikido Security dashboard\n\n\u003e Aikido is your no nonsense application security platform. One central system that scans your source code \u0026 cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.\n\nZen improves Aikido's offering by providing you with security in production. Use the automatic generation of API specifications together with our API scanning offering for even better API Security.\n\nOnly the necessary data gets reported back to Aikido, we scan your requests locally and only report back data once every 10 minutes.\nIf an attack on your application is detected, we report immediately allowing you to take swift action.\n\nYou can easily select which IP addresses and/or bots to block from curated lists inside our Dashboard.\n\nYou will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login). (No credit card required)\n\nHere's how:\n\n- [Log in to your Aikido account](https://app.aikido.dev/login).\n- Go to [Zen](https://app.aikido.dev/runtime/services).\n- Go to apps.\n- Click on **Add app**.\n- Choose a name for your app.\n- Click **Generate token**.\n- Copy the token.\n- Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/motdotla/dotenv) or another method of your choosing.\n\n## Running in production (blocking) mode\n\nBy default, Zen will only detect and report attacks to Aikido.\n\nTo block requests, set the `AIKIDO_BLOCK` environment variable to `true`.\n\nSee [Reporting to Aikido](#reporting-to-your-aikido-security-dashboard) to learn how to send events to Aikido.\n\n## Additional configuration\n\n[Configure Zen using environment variables for authentication, mode settings, debugging, and more.](https://help.aikido.dev/doc/configuration-via-env-vars/docrSItUkeR9)\n\n## License\n\nThis program is offered under a commercial and under the AGPL license.\nYou can be released from the requirements of the AGPL license by purchasing\na commercial license. Buying such a license is mandatory as soon as you\ndevelop commercial activities involving the Zen software without\ndisclosing the source code of your own applications.\n\nFor more information, please contact Aikido Security at this\naddress: support@aikido.dev or create an account at https://app.aikido.dev.\n\n## Benchmarks\n\nWe run a benchmark on every commit to ensure Zen has a minimal impact on your application's performance.\n\nSee [benchmarks](benchmarks)\n\n## Bug bounty program\n\nOur bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime\n\n## Contributing\n\nSee [CONTRIBUTING.md](.github/CONTRIBUTING.md) for more information.\n\n## Code of Conduct\n\nSee [CODE_OF_CONDUCT.md](.github/CODE_OF_CONDUCT.md) for more information.\n\n## Security\n\nSee [SECURITY.md](.github/SECURITY.md) for more information.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faikidosec%2Ffirewall-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faikidosec%2Ffirewall-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faikidosec%2Ffirewall-node/lists"}