Stop bots, scrapers, and zero-day probes. Keep the traffic that matters.
A free firewall for Node.js apps. Blocks 500,000+ known-bad IPs — bots, scanners, credential stuffers, vulnerability probes — refreshed hourly. Allowlists Googlebot, GPTBot, ClaudeBot, and other legit SEO / AI crawlers so your search rankings and AI visibility stay intact. Runs inside your app — no Cloudflare account, no AWS WAF, no load balancer rules, no network reconfiguration. One flag on your start command.
Running a Node.js app in 2026 means fighting bots every day.
Scrapers rack up your bandwidth bill. Zero-day scanners probe for CVEs hours after they drop. Credential stuffers hammer your login. And the usual fix — a heavy-handed WAF — often takes out Googlebot and GPTBot along with the attackers, tanking your SEO and AI visibility.
“Woke up to a $3,400 egress bill. Turns out someone was scraping our API endpoints for 72 hours straight. Cloudflare didn't catch it because they rotated IPs every 2 minutes.”
“Got probed for a CVE that dropped 6 hours ago. My app isn't even vulnerable, but the logs are now 90% attack noise. How are small teams supposed to keep up?”
“Enabled a WAF and lost 40% of my Google traffic overnight. Turns out it was blocking Googlebot and GPTBot as 'bots'. AI crawlers are how people find us now.”
“Spent the weekend writing a custom IP blocker after credential-stuffing attacks hit our login 400k times. I shouldn't have to build a bot filter from scratch in 2026.”
“LLM scrapers are pounding our docs at 200 req/sec with no throttle, no robots.txt respect. We pay the bandwidth, they train on our content. There has to be a middle ground.”
“Vulnerability scanners are 70% of our 4xx traffic. Our error dashboards are useless — real customer issues are drowning in /wp-admin and /.env probes.”
Illustrative — based on common community complaints.
A preload. A blocklist. An allowlist. That's it.
Node preload, zero code change
Add one flag to your start command: node -r securenow/firewall-only app.js. Node loads the firewall module before your app — no imports, no middleware, no refactor.
Blocklist pulled & cached locally
On startup the firewall fetches the 500k+ IP feed from our CDN, then caches it in memory for O(1) lookups. A background worker refreshes the cache hourly — your app never blocks on a network call.
Bad IPs rejected before your handlers run
A tiny hook on Node's HTTP layer checks the client IP against the blocklist. Matches are rejected with 403 in microseconds. Legit crawlers and everyone else pass through untouched.
Fails open — never your downtime
If the blocklist fetch ever fails (network, DNS, our CDN), the firewall logs a warning and stops filtering. Your app keeps serving traffic normally. Protection is additive — it can never take you down.
Three levels of protection. All on your box.
Every level runs inside your app or on the same host. No Cloudflare account. No AWS WAF setup. No load balancer rules. No ops ticket. No network reconfiguration. One env var flips each level on — or let the AI onboarding prompt do it for you.
HTTP 403
Sub-ms per requestDefault · app-level · zero config
The default. Start your app with the firewall preload and this is already running.
A tiny hook on Node's HTTP server intercepts requests from blocked IPs and responds with 403 before any of your handlers, middleware, or framework routing runs.
- Pure app-level — no OS privileges, no root, no CAP_NET_ADMIN
- Works on any host: Vercel, Fly.io, Render, Heroku, Railway, bare VPS, Docker, Kubernetes
- Zero configuration outside your app — no Cloudflare account, no AWS WAF, no load balancer rules
(always on)TCP Drop
Microseconds — no HTTP parseOpt-in · app-level · deeper
When you want to skip HTTP parsing entirely for blocked IPs — ideal for high-traffic APIs getting hammered by scrapers.
Patches net.Server.prototype to destroy the TCP socket as soon as a connection is accepted from a blocked IP. The attacker never gets past the handshake, your app never sees the bytes.
- Still runs entirely inside your Node process — no OS-level setup
- Attackers see a hard connection reset, not a 403 — less feedback for scanners
- Reduces TLS / HTTP parse overhead under bot storms
SECURENOW_FIREWALL_TCP=1OS Firewall (iptables / nftables)
Kernel-path — effectively freeOpt-in · kernel-level · Linux
Maximum-depth protection when you're running on Linux and can grant root / CAP_NET_ADMIN to your app.
Manages a dedicated SECURENOW_BLOCK iptables or nftables chain. Packets from blocked IPs are DROPPED at the kernel — they never reach user space, let alone your Node process.
- Still runs on the same box as your app — no external service, no network reconfiguration
- Auto-detects iptables vs nftables backend
- Works alongside Layer 1 and Layer 2 — they stack
SECURENOW_FIREWALL_IPTABLES=1Don't want to pick? The AI prompt handles it.
The onboarding wizard generates a Cursor / Claude prompt that asks what environment you run in (serverless, Linux VPS with root, container, etc.) and enables the right levels automatically. You never touch the env vars unless you want to.
Real protection, no collateral damage.
Six reasons teams drop the firewall in on day one — even before they consider the paid tracing tier.
500k+ known-bad IPs
Active bots, scanners, credential stuffers, and zero-day vulnerability probes — pooled from attack telemetry across the SecureNow network and curated open-source feeds.
Refreshed hourly
New threats are ingested, deduplicated, and pushed to your firewall within ~60 minutes of first being observed in the wild.
Bandwidth & infra savings
Scrapers, crawlers, and bot swarms are rejected before they hit your origin. Lower CDN bills, less CPU, smaller egress — often the firewall pays for itself (especially at the $0 tier).
Good bots stay welcome
Googlebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot and other legitimate SEO / AI crawlers are on a curated allowlist. Your search rankings and AI discoverability are preserved.
Zero tracing, zero overhead
No OTel, no traces, no logs, no request-body capture. Just the IP blocklist preloaded as a Node hook — sub-millisecond check per request, fails open if ever unreachable.
No SDK plugging
You don't wire anything into your app code. One flag on your start command and you're protected — works with Express, Next.js, NestJS, Fastify, Nuxt 3, Koa, Hono, Hapi, h3, and more.
We're the only firewall that lets Googlebot, GPTBot, and ClaudeBot through by default.
Most bot-blockers treat every crawler as hostile. That takes out the bots that actually bring you traffic: Google, Bing, ChatGPT, Claude, Perplexity, Apple Intelligence. When users ask an LLM “what's the best X for Y?”, you want to be in the answer. SecureNow keeps you there.
Two minutes, three commands.
Pick your framework, copy the snippet, start your app. The blocklist loads on startup — you're protected before the first request hits your handlers.
npm install --save securenow
npx securenow login
Browser opens → pick an app → click Enable firewall. The key lands in .securenow/credentials.json (auto-gitignored). No env var needed.
Already have a key? npx securenow api-key set snk_live_...
"start": "node -r securenow/firewall-only app.js"
Or skip package.json and run directly: node -r securenow/firewall-only app.js
[securenow] firewall: loaded N IPs— that line means the blocklist is live.Block an IP. Check the firewall. From your terminal.
Everything the firewall does is scriptable. Use it in CI, cron jobs, incident response playbooks, or straight from your shell.
securenow run --firewall-only app.jsStart your app with the firewall preloaded — no tracing, no OTel, just the blocklist.
securenow firewall statusShow whether the firewall is active, how many IPs are loaded, and when the blocklist was last refreshed.
securenow firewall test-ip 203.0.113.42Check whether a specific IP would be blocked by the current blocklist — without actually sending a request.
securenow blocklistList every IP currently in your personal blocklist (added on top of the global 500k feed).
securenow blocklist add 198.51.100.7 --reason "brute-forced login"Manually block an IP. Propagates to your firewall instances within the next sync window.
securenow blocklist remove <id>Unblock an IP by its blocklist entry ID (shown by `securenow blocklist`).
securenow allowlist add 192.0.2.10Force-allow an IP. Useful for your own office, CI runners, or monitoring services.
securenow trustedShow the built-in allowlist of legitimate SEO / AI crawlers (Googlebot, GPTBot, ClaudeBot, etc.) so you can confirm they're whitelisted.
Every knob, every default.
The firewall is driven by environment variables — the Twelve-Factor way. Since v7.1.0 the key lives in .securenow/credentials.json (written by npx securenow login), so nothing below is strictly required — each variable just lets you override a default. In practice the AI onboarding prompt sets these for you based on your environment — this table is only here if you want to read what each flag does or tune them by hand.
| Variable | Default | Description |
|---|---|---|
SECURENOW_API_KEY | — | The firewall's snk_live_ API key. Since 7.1.0, running `npx securenow login` saves this to .securenow/credentials.json automatically — you only need this env var if you want to override the creds file or bypass the CLI. |
SECURENOW_API_URL | https://api.securenow.ai | API endpoint the firewall syncs against. Override only for self-hosted / enterprise instances. |
SECURENOW_FIREWALL_ENABLED | 1 | Set to 0 to disable the firewall entirely without removing the preload flag. Useful for quick A/B rollbacks. |
SECURENOW_FIREWALL_TCP | 0 | Set to 1 to enable Level 2 (TCP socket drop). Still app-level — no OS privileges required. |
SECURENOW_FIREWALL_IPTABLES | 0 | Set to 1 to enable Level 3 (kernel iptables / nftables). Linux only — needs root or CAP_NET_ADMIN. |
SECURENOW_FIREWALL_FAIL_MODE | open | What to do if the blocklist fetch fails. open = let traffic through (no downtime); closed = reject everything until recovery. |
SECURENOW_FIREWALL_STATUS_CODE | 403 | HTTP status code returned for Layer 1 blocks. 403 Forbidden by default; some prefer 444 or 429. |
SECURENOW_FIREWALL_SYNC_INTERVAL | 300 | Seconds between full blocklist re-syncs. Default is 5 minutes. New IPs also arrive via hourly version checks. |
SECURENOW_FIREWALL_VERSION_INTERVAL | 10 | Seconds between lightweight version checks that reveal whether a new blocklist version is available. |
SECURENOW_FIREWALL_LOG | 1 | Set to 0 to silence the firewall's startup / status / block log lines. |
You shouldn't need to read this table.
Sign up, click Firewall only in the onboarding wizard, and paste the generated prompt into Cursor Agent or Claude Code. It picks up your framework, writes the .env, updates your package.json, and enables the right protection level for your host — no env-var memorization required.
The firewall is the door. The dashboard is the full picture.
When you're ready for full-fidelity traces, log forwarding, request-body capture, and AI forensics that reconstruct every attacker session end-to-end, one env var flips firewall-only mode into full SecureNow. Same account. Same blocklist. Much more visibility.
Questions teams ask before dropping it in.
Is it really free?
securenow/firewall-only preload are free forever. Paid tiers add full OTel tracing, logs, body capture, and AI-powered forensics — but you never have to upgrade to keep the firewall.How is this different from Cloudflare / a WAF?
Does the firewall slow down my app?
What frameworks are supported?
http.createServer. For Next.js / Nuxt, use NODE_OPTIONS='-r securenow/firewall-only' next start (or equivalent).How do you keep legit bots from being blocked?
securenow trusted to see the full list.Can I add my own blocked / allowed IPs?
securenow blocklist add / allowlist add, or from the dashboard. Your personal lists layer on top of the global 500k feed.What do you actually get in paid?
Block the bots. Keep the signal.
500k+ bad IPs, refreshed hourly, Googlebot welcome. $0.