π Protect your Node.js app in 3 lines of code
Stop SQL injection, XSS, bots, and 10+ attack types automatically
Quick Start β’ Features β’ Examples β’ Documentation
- β 3-Line Setup - Seriously. Copy, paste, protected.
- π¨ Beautiful UI - Custom loading screens with your branding
- π Instant Alerts - Get notified in Slack/Discord when attacks happen
- π€ Auto Bot Blocking - Stops scrapers, scanners, and automated attacks
- π Built-in Analytics - See what's being attacked in real-time
- π Works Everywhere - Express, Next.js, Vercel, AWS Lambda, anywhere
- π Completely Free - MIT licensed, use it anywhere
npm install CamozDevelopment/Aimless-Securityconst express = require('express');
const { Aimless } = require('aimless-security');
const app = express();
app.use(express.json());
const aimless = new Aimless({ rasp: { enabled: true } });
app.use(aimless.middleware()); // β That's it! You're protected π
app.listen(3000);Done! Your app is now protected against:
- β SQL Injection
- β XSS Attacks
- β Command Injection
- β Path Traversal
- β NoSQL Injection
- β CSRF Attacks
- β XXE & SSRF
- β Rate Limit Abuse
- β Bot/Scanner Traffic
- β Unicode SQL Injection
- β Polyglot Attacks
- Fixed crash when request data contains undefined values
- Improved null safety in AdvancedThreatDetector
- Enhanced error handling in threat detection pipeline
const aimless = new Aimless({
rasp: {
// Beautiful loading screen while checking security
loadingScreen: {
enabled: true,
message: 'Verifying your request...'
},
// Custom message when blocking attacks
customBlockMessage: 'Contact support@yourcompany.com'
}
});
app.use(aimless.loading()); // Add before middleware
app.use(aimless.middleware());Get instant alerts in Slack or Discord when attacks happen:
webhooks: {
enabled: true,
url: 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL',
events: ['block', 'threat'] // What to notify about
}Automatically detect and block bots, scrapers, and automated attacks:
requestFingerprinting: {
enabled: true,
blockAutomatedTraffic: true // Auto-block bots
}Track what's being attacked in real-time:
app.get('/analytics', (req, res) => {
res.json(aimless.getAnalytics()); // Get detailed metrics
});Rate limits that adapt based on IP reputation:
rateLimiting: {
enabled: true,
maxRequests: 100,
windowMs: 60000,
dynamicThrottling: true // Lower limits for suspicious IPs
}- SQL Injection - 30+ patterns including Unicode SQL
- XSS Protection - Multi-layer detection with sanitization
- Polyglot Attacks - Detects combined SQL+XSS attacks
- Command Injection - PowerShell, Bash, file operations
- Path Traversal - Directory traversal prevention
- NoSQL Injection - MongoDB, Redis, CouchDB
- CSRF Protection - Automatic token generation
- XXE & SSRF - XML and server-side request forgery
- Rate Limiting - Prevent abuse and DoS attacks
- Custom Loading Screens - Beautiful security check UI
- Webhook Notifications - Slack/Discord alerts
- Bot Detection - Block automated traffic
- Security Analytics - Real-time attack metrics
- IP Reputation - Automatic threat scoring
- Access Control - Define allowed/blocked endpoints
- API Fuzzing - Find vulnerabilities before attackers do
const aimless = new Aimless({ rasp: { enabled: true } });
app.use(aimless.middleware());const aimless = new Aimless({
rasp: {
enabled: true,
blockMode: true,
// Custom UI
customBlockMessage: 'For support: security@example.com',
loadingScreen: {
enabled: true,
message: 'Checking security...',
minDuration: 500
},
// Webhooks
webhooks: {
enabled: true,
url: 'https://discord.com/api/webhooks/YOUR/WEBHOOK',
events: ['block', 'threat']
},
// Bot detection
requestFingerprinting: {
enabled: true,
blockAutomatedTraffic: true
},
// Analytics
analytics: {
enabled: true,
retention: 30
},
// Smart rate limiting
rateLimiting: {
enabled: true,
maxRequests: 100,
windowMs: 60000,
dynamicThrottling: true
}
}
});
// Add middleware (order matters!)
app.use(aimless.loading()); // 1. Loading screen
app.use(aimless.middleware()); // 2. Security protectionapp.post('/api/user', (req, res) => {
const result = aimless.validate(req.body.username)
.against(['sql', 'xss'])
.sanitize()
.result();
if (!result.safe) {
return res.status(403).json({ error: 'Invalid input' });
}
// Use result.sanitized safely
createUser(result.sanitized);
});app.use(aimless.csrf()); // Adds CSRF tokens
app.get('/form', (req, res) => {
res.send(`
<form method="POST">
<input type="hidden" value="${res.locals.csrfToken}">
<button>Submit</button>
</form>
`);
});app.get('/admin/security', (req, res) => {
const analytics = aimless.getAnalytics();
res.json({
totalRequests: analytics.totalRequests,
threats: analytics.threatsDetected,
blocked: analytics.threatsBlocked,
topAttackTypes: analytics.topAttackTypes,
topAttackIPs: analytics.topAttackIPs
});
});The loading screen shows while Aimless checks requests. Perfect for user-facing apps:
loadingScreen: {
enabled: true,
message: 'Verifying your request security...',
minDuration: 1000 // Show for at least 1 second
}Features:
- Dark theme design with your logo
- Smooth animations
- Customizable message
- Only shows on HTML responses
Get notified instantly when attacks happen:
Discord:
webhooks: {
enabled: true,
url: 'https://discord.com/api/webhooks/YOUR/WEBHOOK/URL',
events: ['block', 'threat', 'rateLimit']
}Slack:
webhooks: {
enabled: true,
url: 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL',
events: ['all']
}Automatically identify and block:
- curl, wget, python-requests
- Headless browsers (Puppeteer, Selenium)
- Security scanners (SQLMap, Burp, ZAP)
- Missing browser headers
- Suspicious patterns
requestFingerprinting: {
enabled: true,
blockAutomatedTraffic: true
}aimless.middleware()- Main security middlewareaimless.loading()- Loading screen middlewareaimless.csrf()- CSRF protectionaimless.validate(input)- Validate user inputaimless.sanitize(text)- Sanitize outputaimless.getAnalytics()- Get security metricsaimless.getIPReputation(ip)- Get IP score (0-100)
{
rasp: {
enabled: boolean, // Enable protection
blockMode: boolean, // Block threats (false = monitor)
customBlockMessage: string, // Custom block message
loadingScreen: { ... }, // Loading screen config
webhooks: { ... }, // Webhook config
requestFingerprinting: { ... },// Bot detection
analytics: { ... }, // Analytics config
rateLimiting: { ... } // Rate limit config
},
logging: {
enabled: boolean,
level: 'info' | 'warn' | 'error'
}
}// pages/api/[...all].js
import { Aimless } from 'aimless-security';
const aimless = new Aimless({ rasp: { enabled: true } });
export default async function handler(req, res) {
// Analyze request
const threats = aimless.analyze({
method: req.method,
path: req.url,
query: req.query,
body: req.body,
headers: req.headers,
ip: req.headers['x-forwarded-for'] || req.socket.remoteAddress
});
// Block if threats found
if (threats.length > 0) {
return res.status(403).json({ error: 'Request blocked' });
}
// Your API logic
res.json({ status: 'ok' });
}Works out of the box with serverless frameworks!
See examples above - just app.use(aimless.middleware())
- Complete Documentation - Full API reference
- Examples - Working code examples
- Changelog - Version history
Contributions welcome! Please see our contributing guidelines.
MIT - Use it anywhere, for free!
- π Report Issues
- β Star on GitHub
- π§ Contact: CamozDevelopment
Made with β€οΈ for the Node.js community