1.0.3 • Public • Published

Simple WAF to integrate with Node.js web systems

Build Status Coverage Status License: MIT npm node Gitter


WAF-JS is a simple WAF developed for basic protection on Node.JS web systems, providing basic bot detection, HTTP method checking and some HTTP headers analysis. With a simple package install and passing some arguments, it can check if you want to continue handling the request, or simply drop it, log it or redirect it somewhere else.

It can be configurable by passing the allowed / desirable HTTP request methods and content types, and it also makes it possible to extend the current bot signatures.


In order to install WAF-JS package, simply run:
npm install wafjs --save

Available Methods

  • isBotCheck({'user-agent'}) Based on pre-defined rules / signatures (with the possibility of extending them), and taking the user-agent field from the request headers, it tries to check of the request is from a known bot / crawler / spider, etc.. Receives the user-agent as argument and returns a boolean value (if bot: true | not bot: false)

  • extendBotSigs({signatures}) Allows the extension of pre-defined bot / crawlers, spiders, etc... signatures. Receives an array of signatures to be added to the pre-defined ones.

  • removeBotSig({signature}) Removes a signature from the list.

  • reqCheck({request method}, {content-type}) Checks the request, analysing the HTTP request method and content type, and matching it with the given config (allowed methods & content types). Receives the request method and request headers content-type property and returns a boolean value (valid / allowed request: true | invalid / forbidden request: false)

  • wafChecks({user-agent}, {request method}, {content-type}) Performs both checks (bot and requests) returning a boolean value as response, according with the validity of the request components. Receives the request headers user-agent property, the request method and the request headers content-type property as parameters. Returns a boolean (not a bot AND valid request: true | is bot OR invalid request: false)

Configuration & Usage

The following arguments are required to be passed to WAFJS

  • Configuration object containing the allowedMethods & contentTypes

example of base config:

const baseConfig = {
  allowedMethods: ['GET', 'POST', 'PATCH', 'DELETE'], // allowed / desired HTTP methods
  contentTypes: ['application/json', 'multipart/form-data'] // allowed / desired content-types

The wafjs package exports a class (WAFJS), wich can be instantiated as follows:

// package requirement
const { WAFJS } = require('wafjs') 
// declaring new WAFJS class instance
let _wafjs = new WAFJS(baseConfig)
// usage example | bot check
  res.statusCode = 403
// usage example | extend bot signatures
_wafjs.extendBotSigs(['newSig#1', 'newSig#2'])
// usage example | remove signature
// usage example | request check
if(_wafjs.reqCheck(req.method, req.headers['content-type'])){
  res.statusCode = 403
// usage example | waf checks
if(_wafjs.wafChecks(req.headers['user-agent'], req.method, req.headers['content-type'])){
  res.statusCode = 403

Express.JS (and other frameworks) integration example

WAFJS can easily be integrated into ExpressJS as middleware, analysing the request before any further handling by the web system:

  // WAF middleware validation & request id injection on every request
  express.use(async (req, res, next) => {
    if(_wafjs.reqCheck(req.method, req.headers['content-type']))

WAFJS may also be easily integrated in other frameworks (Loopback, etc..) using the same approach as described above.

Package Sidebar


npm i wafjs

Weekly Downloads






Unpacked Size

13.4 kB

Total Files


Last publish


  • undertuga