Adding an IP Firewall to NestJS Without Cloudflare

NestJS apps run on Node.js with an HTTP adapter — Express by default, Fastify if you've configured it. Either way, the SecureNow preload adds a managed IP firewall in one line, no DNS changes required.

For broader context see the SecureNow Firewall page.

The one-line setup

npm install securenow

# In your start command:
node -r securenow/firewall-only dist/main.js

In a Dockerfile:

CMD ["node", "-r", "securenow/firewall-only", "dist/main.js"]

In a process manager (PM2):

// ecosystem.config.js
module.exports = {
  apps: [{
    name: 'nestjs-app',
    script: 'dist/main.js',
    node_args: '-r securenow/firewall-only',
  }],
};

The firewall sits at the HTTP server level — below NestJS, below Express/Fastify. Bad IPs get a 403 before any NestJS code runs.

What you get out of the box

• 500k known-bad IPs (SecureNow AI IPDB feed)
• Hourly refresh
• Auto-allowlist for Googlebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot
• Sub-millisecond per-request overhead
• Fail-open on backend unreachability
• Free at any traffic level

Hand-rolled NestJS Middleware (alternative)

If you want application-layer control:

// src/firewall/firewall.middleware.ts
import { Injectable, NestMiddleware } from '@nestjs/common';
import { Request, Response, NextFunction } from 'express';

const blocklist = new Set<string>();
// ... load from file or feed

@Injectable()
export class FirewallMiddleware implements NestMiddleware {
  use(req: Request, res: Response, next: NextFunction) {
    const ip = (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim()
      || req.socket.remoteAddress;
    if (ip && blocklist.has(ip)) {
      return res.status(403).send('Forbidden');
    }
    next();
  }
}

Apply globally:

// src/app.module.ts
import { MiddlewareConsumer, Module, NestModule } from '@nestjs/common';
import { FirewallMiddleware } from './firewall/firewall.middleware';

@Module({ /* ... */ })
export class AppModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer.apply(FirewallMiddleware).forRoutes('*');
  }
}

The catch: maintaining a 50k-entry blocklist as code is impractical. Either pull from a feed periodically or use the SecureNow preload, which handles the feed for you.

Verifying

npx securenow firewall status

Returns the current blocklist size and last refresh time. To check a specific IP:

npx securenow firewall test-ip 185.220.101.42

Returns whether that IP would be blocked or allowed by the current ruleset.

Combining with NestJS Throttler

Run them together — different layers:

• SecureNow firewall: blocks known-bad IPs (reputation-based)
• NestJS Throttler: rate limits all IPs (rate-based)

Both run automatically; one is a preload, the other is a Module. No conflict.

When to use a CDN-level firewall instead

If you have:

• Layer-3/4 attacks (SYN floods, UDP amplification)
• Sophisticated bot traffic that mimics browsers perfectly
• DDoS protection requirements (uptime-critical traffic)

Move the IP firewall to your CDN (Cloudflare, AWS Shield, Imperva). Application-layer firewall handles 80% of attacks but not all.

Related

• Block bot traffic in NestJS
• Detect credential stuffing in NestJS
• Free SecureNow Firewall