@aikidosec/firewall
Advanced tools
Aikido firewall protects your application against NoSQL injections and more
Aikido Firewall is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks.
It protects your Node.js apps by preventing user input containing dangerous strings, which allow injection, pollution, and path traversal attacks. It runs on the same server as your Node.js app for simple installation and zero maintenance.
Firewall autonomously protects your Node.js applications against:
Firewall operates autonomously on the same server as your Node.js app to:
Aikido Firewall for Node.js 16+ is compatible with:
mongodb 4.x, 5.x and 6.x (npm package versions, not MongoDB server versions)mongoose 8.x, 7.x and 6.xpg 8.x and 7.xmysql 2.xmysql2 3.xsqlite3 5.x@google-cloud/functions-framework 3.x@google-cloud/pubsub 4.xSee list above for supported database drivers.
sequelizeknextypeormbookshelfdrizzle-ormgraphql 16.xxml2js 0.6.x, 0.5.x, ^0.4.18fast-xml-parser 4.x# The --save-exact makes sure that you don't automatically install a newer version
$ npm install --save-exact @aikidosec/firewall
# The --exact makes sure that you don't automatically install a newer version
$ yarn add --exact @aikidosec/firewall
For framework- and provider- specific instructions, check out our docs:
Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important.
You can use some of Firewalls's features without Aikido, but you will get the most value by reporting your data to Aikido.
You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.
Here's how:
AIKIDO_TOKEN, using dotenv or another method of your choosing.By default, Firewall will only detect and report attacks to Aikido.
To block requests, set the AIKIDO_BLOCKING environment variable to true.
See Reporting to Aikido to learn how to send events to Aikido.
This program is offered under a commercial and under the AGPL license. You can be released from the requirements of the AGPL license by purchasing a commercial license. Buying such a license is mandatory as soon as you develop commercial activities involving the Aikido Firewall software without disclosing the source code of your own applications.
For more information, please contact Aikido Security at this address: support@aikido.dev or create an account at https://app.aikido.dev.
We run a benchmark on every commit to ensure Firewall has a minimal impact on your application's performance.
The benchmark runs a simple MongoDB query to measure the difference between two runs with and without Firewall:
| Without Firewall | With Firewall | Difference in ms |
|---|---|---|
| 0.214ms | 0.222ms | +0.008ms |
(Using Node.js 18.x and MongoDB 6.3.x. Results will vary depending on your hardware.)
See benchmarks for more information.
Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
See CONTRIBUTING.md for more information.
See CODE_OF_CONDUCT.md for more information.
See SECURITY.md for more information.
FAQs
Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.
The npm package @aikidosec/firewall receives a total of 4,511 weekly downloads. As such, @aikidosec/firewall popularity was classified as popular.
We found that @aikidosec/firewall demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Β It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security Fundamentals
A pair of typosquatted Go packages posing as Googleβs UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk.
Security News
November CVE publications fell 25% YoY even as 2025 totals rose, showing how a few major CNAs can swing βglobalβ counts and skew perceived risk.
Security News
React disclosed a CVSS 10.0 RCE in React Server Components and is advising users to upgrade affected packages and frameworks to patched versions now.