Web Application Firewall (WAF)
Protect your Node.js apps at runtime – with just one command
Automatically block critical injection attacks, introduce rate limiting for APIs, and monitor outbound traffic.
Supports your tech stack
MySQL
MongoDB
Postgres
TypeORM
Sequelize
Stop relying on manual code reviews for injection vulnerabilities.
Detect and block malicious user input automatically, with just one command.
SQL & NoSQL injection
Attempts to manipulate database queries for malicious purposes (data theft, unauthorized access, etc.), including protection for different database flavors like MySQL, MongoDB, Postgres, and more.
Command injection
Attacks that inject and execute arbitrary system commands on your server through user input.
Rate limiting
Attacks by bots or brute force that flood your app with requests, aiming to overwhelm your servers or disrupt service for legitimate users
Path traversal
Attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.
Let Aikido handle the dirty work of blocking attacks.
![](https://cdn.prod.website-files.com/642adcaf364024552e71df01/66291bdb18cd888b41068438_Browser.webp)
Fully embedded
Unlike WAFs, Firewall runs inside your app as a JS library.
- No complex agents to deploy.
- No extra infrastructure or hardware.
- No impact on your performance.
![Aikido dashboard](https://cdn.prod.website-files.com/642adcaf364024552e71df01/66713e4d1acc0e547f238b06_666b0ee21adc31eb74f91354_Installation%20Instruction-p-800.png)
![Aikido dashboard](https://cdn.prod.website-files.com/642adcaf364024552e71df01/662a87bcda1abaa331dfcaa9_Runtime%20Protection-Big.png)
Runs in the background
Firewall analyzes data on the fly and blocks attacks automatically.
- No more updating rulesets.
- No constant monitoring
- No extra follow-up actions.
Stop attacks in real-time
Firewall detects threats as your application runs and stops attacks in real-time, before they ever reach your database. No more endless patching or worrying about new vulnerabilities. Just install it once, and it handles the rest.
Way less false positives & negatives
Firewall is smarter than simple blocklists. It knows the difference between a malicious command and legitimate user input, so you get less false alarms and more peace of mind.
Detect and block malicious user input automatically, with just 1 line of code.
You can test Firewall in dry mode and verify it works, so you don’t break your app.
We’re implementing security best practices aligned with the highest standards.
FAQ
Is Aikido's software pentested?
Yes. We run a yearly pentest on our platform.
Is Aikido Firewall compatible with various databases and third-party services?
Right now, Aikido Firewall plays nicely with popular databases like MySQL, MongoDB, and PostgreSQL, and is compatible with ORMs like TypeORM and Sequelize. We're always adding support for more like Python and Ruby. Have a specific service in mind? Let us know, and we'll prioritize it.
What is the performance impact of implementing Aikido Firewall in my application?
Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Firewall to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.
It's open source, but what if I run into issues or have specific questions? Where can I get help?
You're not on your own. We have a growing community of developers and security folks using Aikido Firewall. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.
How do I know Firewall is actually working? Can I monitor blocked attacks and get detailed reports?
Seeing is believing. Aikido Firewall logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.
Monkey-patching sounds risky—will it break my app's functionality or create unforeseen conflicts?
Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Aikido Firewall targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.
Why does Aikido Firewall give me less false positives/negatives than WAF?
Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Aikido Firewall is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.
How can one tool autonomously block so many threats without impacting performance?
We get it. It sounds too good to be true. Aikido Firewall’s magic is in three things: 1) it is a library inside your app, 2) it monitors both incoming user input and outgoing connections (to databases or 3rd party services)
3) it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.
![Aikido dashboard](https://cdn.prod.website-files.com/642adcaf364024552e71df01/6638c413a941e9526fff8218_cta%20mockup.png)