Moonito is the official Node.js SDK for real-time website analytics and advanced bot protection. Instantly detect and block AI crawlers, scrapers, and malicious bots — while tracking genuine visitors in real-time. Perfect for Express, TypeScript, and mode
Real-time analytics and AI bot protection SDK for Node.js and TypeScript.
Moonito is a powerful Node.js and TypeScript module for website security, traffic filtering, and real-time analytics.
It helps developers block AI bots, web scrapers, malicious traffic, competitors, and unwanted visitors while gaining accurate insights into genuine visitors.
Perfect for modern web apps, SaaS platforms, and backend applications that need intelligent protection and analytics in one solution.
Install Moonito via npm:
npm install moonito
Sign up for Moonito, create a project, and copy your API keys from your account dashboard. Then, create a new instance of VisitorTrafficFiltering.
import { VisitorTrafficFiltering } from 'moonito';
const filter = new VisitorTrafficFiltering({
apiPublicKey: 'YOUR_API_PUBLIC_KEY',
apiSecretKey: 'YOUR_API_SECRET_KEY',
isProtected: true,
unwantedVisitorTo: 'https://example.com/blocked', // URL or HTTP status code
unwantedVisitorAction: 1 // 1 = Redirect, 2 = Iframe, 3 = Load content
});
If you can, use middleware to track and filter incoming requests to all pages from a single place. Here's an example with Express:
import express from 'express';
import { VisitorTrafficFiltering } from 'moonito';
const app = express();
const port = 3000;
// Configure Moonito
const filter = new VisitorTrafficFiltering({
apiPublicKey: 'YOUR_API_PUBLIC_KEY',
apiSecretKey: 'YOUR_API_SECRET_KEY',
isProtected: true,
unwantedVisitorTo: 'https://example.com/blocked', // Redirect to this URL
unwantedVisitorAction: 1
});
// Alternative configuration with HTTP status code
// const filter = new VisitorTrafficFiltering({
// apiPublicKey: 'YOUR_API_PUBLIC_KEY',
// apiSecretKey: 'YOUR_API_SECRET_KEY',
// isProtected: true,
// unwantedVisitorTo: '403', // Return HTTP 403 Forbidden
// unwantedVisitorAction: 1
// });
// Apply Moonito middleware
app.use(async (req, res, next) => {
try {
await filter.evaluateVisitor(req, res);
} catch (error) {
return next(error);
}
next(!res.headersSent ? undefined : null);
});
// Your routes
app.get('/', (req, res) => {
res.send('Hello World!');
});
// Start server
app.listen(port, () => {
console.log(`Server running at http://localhost:${port}`);
});
For more control or custom implementations, you can manually evaluate visitors by providing IP, user agent, event, and domain information:
import { VisitorTrafficFiltering } from 'moonito';
// Configure Moonito
const filter = new VisitorTrafficFiltering({
apiPublicKey: 'YOUR_API_PUBLIC_KEY',
apiSecretKey: 'YOUR_API_SECRET_KEY',
isProtected: true,
unwantedVisitorTo: '403', // Return HTTP 403 Forbidden
unwantedVisitorAction: 1
});
// Visitor data
const userIP = '1.1.1.1';
const userAgent = 'Mozilla/5.0...';
const event = 'page-view';
const domain = 'example.com';
// Evaluate visitor
filter.evaluateVisitorManually(userIP, userAgent, event, domain)
.then(result => {
if (result.need_to_block) {
console.log('Visitor blocked. Detect activity:', result.detect_activity);
console.log('Block content type:', typeof result.content);
// Handle blocked visitor based on the returned content
if (typeof result.content === 'number') {
// HTTP status code - return status directly
console.log('HTTP Status Code:', result.content);
// In your application, you might do: res.status(result.content).send()
} else {
// HTML content - use as response body
console.log('HTML Content:', result.content);
// In your application, you might do: res.send(result.content)
}
return;
}
console.log('Visitor allowed. Detect activity:', result.detect_activity);
})
.catch(error => {
console.error('Error evaluating visitor:', error);
});
| Option | Type | Description |
|---|---|---|
apiPublicKey | string | Your Moonito API public key (required) |
apiSecretKey | string | Your Moonito API secret key (required) |
isProtected | boolean | Enable (true) or disable (false) protection |
unwantedVisitorTo | string | URL to redirect unwanted visitors or HTTP error code |
unwantedVisitorAction | number | Action for unwanted visitors: 1 = Redirect, 2 = Iframe, 3 = Load content |
For detailed documentation, guides, and API reference, visit:
We welcome contributions! For significant changes, please open an issue first to discuss what you would like to change. Make sure to update tests as appropriate.
This project is licensed under the MIT License.
Need help? Have questions or suggestions?
FAQs
Moonito is the official Node.js SDK for real-time website analytics and advanced bot protection. Instantly detect and block AI crawlers, scrapers, and malicious bots — while tracking genuine visitors in real-time. Perfect for Express, TypeScript, and mode
The npm package moonito receives a total of 4 weekly downloads. As such, moonito popularity was classified as not popular.
We found that moonito demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OWASP’s 2025 Top 10 introduces Software Supply Chain Failures as a new category, reflecting rising concern over dependency and build system risks.
Research
/Security News
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.
Security News
Socket CTO Ahmad Nassri discusses why supply chain attacks now target developer machines and what AI means for the future of enterprise security.