🚀 Big News:Socket Has Acquired Secure Annex.Learn More →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@tumull/shield

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@tumull/shield

Drop-in API rate limiting & DDoS protection for Node.js/Next.js

latest
Source
npmnpm
Version
1.2.0
Version published
Maintainers
1
Created
Source

@tumull/shield

Rate limiting, bot detection, and brute force protection for Node.js apps. Works with Next.js, Express, Fastify, Hono, or plain http. No external dependencies in the core.

npm downloads bundle license tests release

Why?

Most rate limiting libs are either too simple (fixed window, no bot detection) or tied to a paid service. Shield gives you sliding window, token bucket, bot detection, brute force protection, and per-route config — all in one package, for free, with zero lock-in.

Install

npm install @tumull/shield

Usage

Next.js

// middleware.ts
import { shield } from '@tumull/shield'

export default shield({
  limit: 100,
  window: '1m',
})

export const config = {
  matcher: '/api/:path*',
}

That's basically it. Your API routes are rate-limited now.

Express

import express from 'express'
import { shieldExpress } from '@tumull/shield'

const app = express()
app.use(shieldExpress({ limit: 100, window: '1m' }))

Fastify

import Fastify from 'fastify'
import { shieldFastify } from '@tumull/shield'

const app = Fastify()
app.register(shieldFastify, { limit: 100, window: '1m' })

Hono

import { Hono } from 'hono'
import { shieldHono } from '@tumull/shield'

const app = new Hono()
app.use('*', shieldHono({ limit: 100, window: '1m' }))

Node.js HTTP

import http from 'node:http'
import { shieldNode } from '@tumull/shield'

const limiter = shieldNode({ limit: 100, window: '1m' })

http
  .createServer(async (req, res) => {
    if (await limiter(req, res)) return // blocked
    res.writeHead(200)
    res.end('ok')
  })
  .listen(3000)

Config

shield({
  limit: 100, // requests per window
  window: '1m', // "30s", "1m", "5m", "1h", "1d"
  block: '15m', // how long to block after exceeding limit
  algorithm: 'sliding-window', // or 'fixed-window', 'token-bucket'

  // different limits for different routes
  routes: {
    '/api/auth/login': { limit: 5, window: '5m', block: '30m' },
    '/api/public/*': { limit: 500, window: '1m' },
    '/api/private/*': { allowlistGeo: ['US', 'CA'] },
    '/api/webhook/*': { skip: true },
  },

  // custom key (default: client IP)
  key: (req) => req.headers.get('x-api-key') ?? extractIP(req),

  store: 'memory', // default. also supports Redis, Upstash
  botDetection: true,
  blockBots: ['scrapy', 'curl'],
  allowlist: ['127.0.0.1'],
  // country-level controls (ISO codes)
  allowlistGeo: ['US', 'CA'],
  blocklistGeo: ['RU'],
  wafEnabled: true,
  wafRules: [
    { target: 'query', operator: 'regex', value: 'union\\s*select', flags: 'i' },
    { target: 'path', value: '/admin' },
  ],
  blocklist: [],
  headers: true, // X-RateLimit-* headers

  onLimit: (req, retryAfter) =>
    new Response(JSON.stringify({ error: 'Slow down' }), { status: 429 }),
})

Full config reference → docs/configuration.md

Stores

Memory (default) — no setup, works everywhere. LRU eviction keeps memory bounded.

import { shield, MemoryStore } from '@tumull/shield'
shield({ store: new MemoryStore({ maxSize: 10_000 }) })

Redis — for multi-instance / production setups.

import { RedisStore } from '@tumull/shield/stores/redis'
import Redis from 'ioredis'

shield({ store: new RedisStore({ client: new Redis(process.env.REDIS_URL) }) })

Upstash — HTTP-based, works on the edge (Vercel Edge, Cloudflare Workers).

import { UpstashStore } from '@tumull/shield/stores/upstash'

shield({
  store: new UpstashStore({
    url: process.env.UPSTASH_REDIS_URL!,
    token: process.env.UPSTASH_REDIS_TOKEN!,
  }),
})

More details → docs/stores.md

Algorithms

AlgorithmWhat it doesGood for
sliding-windowWeighted average of current + previous windowMost apps (default)
fixed-windowSimple counter, resets on intervalHigh throughput
token-bucketTokens refill at constant rateBursty traffic

More details → docs/algorithms.md

Response headers

When headers: true (default):

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 73
X-RateLimit-Reset: 1708934400

When blocked → 429 Too Many Requests with Retry-After header.

How it compares

Shieldexpress-rate-limit@upstash/ratelimitArcjet
Next.js middleware✅❌✅✅
Edge runtime✅❌✅✅
Zero deps✅✅❌❌
Sliding window✅❌✅✅
Bot detection✅❌❌✅
Brute force✅❌❌✅
Per-route config✅manual❌✅
Freeâś…âś…freemiumfreemium

Docs

Contributing

See CONTRIBUTING.md.

License

MIT — TUMULL I.N.C.

Keywords

rate-limit
rate-limiter
ddos
protection
middleware
next.js

FAQs

Package last updated on 03 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

Security News

Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape

A critical vm2 sandbox escape can allow untrusted JavaScript to break isolation and execute commands on the host Node.js process.

By Wenxin Jiang, Marvin Fleischer, Jonah Ghebremichael  -  May 08, 2026