@aikidosec/guard v1.3.0
Aikido Guard for Node.js
Features
Protects your application against
- 🛡️ NoSQL injection attacks
- 🛡️ SQL injection attacks
- 🛡️ Prototype pollution
- 🔥 More to come (See roadmap below)
Roadmap
- Monitor outbound requests
- Protect against path traversal attacks
- Protect against SSRF attacks
- Protect against shell injection attacks
Supported libraries and frameworks
Aikido guard for Node.js is compatible with
- ✅
express
4.x - ✅
mongodb
4.x, 5.x and 6.x (npm package versions, not MongoDB server versions) - ✅
mongoose
8.x, 7.x and 6.x - ✅
pg
8.x and 7.x - ✅
mysql
2.x - ✅
mysql2
3.x
Installation
# The --save-exact makes sure that you don't automatically install a newer version
$ npm install --save-exact @aikidosec/guard
# The --exact makes sure that you don't automatically install a newer version
$ yarn add --exact @aikidosec/guard
- For express based apps, follow the Express instructions
- For AWS Lambda, follow the AWS Lambda instructions
Reporting to Aikido
Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important.
You can use some of this library's features without Aikido, but you will get the most value when using it with Aikido.
You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.
Here's how:
- Login to your Aikido account
- Go to Runtime protection
- Go to services
- Click on "Add service"
- Choose a name for your service
- Click on "Generate token"
- Copy the token
- Set the token as an environment variable:
AIKIDO_TOKEN=your-token node your-app.js
(Or use dotenv to load the token from an .env
file)
Running in dry mode
If you want to test the guard without blocking any requests, you can set the AIKIDO_NO_BLOCKING
environment variable to true
:
AIKIDO_NO_BLOCKING=true node your-app.js
(Or use dotenv to load the token from an .env
file)
See Reporting NoSQL injections to Aikido to learn how to send events to Aikido.
Performance
We run a benchmark on every commit to make sure that the guard has a minimal impact on your application's performance.
The bench runs a simple MongoDB query to measure the difference between two runs with and without the guard:
Without guard | With guard | Difference in ms |
---|---|---|
0.214ms | 0.222ms | +0.008ms |
(Using Node.js 18.x and MongoDB 6.3.x, results will vary depending on your hardware)
See benchmarks for more information.
Development
$ make install
to install dependencies$ make build
to build the library$ make watch
to watch for changes and rebuild the library$ make test
to run tests using tap$ make end2end
to run end-to-end tests using tap$ make lint
to run ESLint