Evidence-based firewall ยท Node.js ยท Self-hosted or hosted

Block behaviour,
not identity.

Three lines of code protects any Express app. Path-based blocking catches 80% of attacks instantly. AumaTron watches the rest and suggests country or IP blocks โ€” with evidence. You approve every decision.

Start free โ€” 1 site How it works
const shield = require('@aumatron/shield-client');
app.use(shield({
  apiUrl: 'https://shield.aumatron.com',
  apiKey: process.env.SHIELD_API_KEY,
}));

Why this firewall

Cloudflare's overkill. Fail2ban's clunky. WordPress plugins don't help Node. This is the firewall for everyone in between.

โšก

Instant path blocking

30+ scanner-bait paths (xmlrpc.php, wp-admin, .env, .git) get 403 immediately โ€” no country lookup needed. Catches ~80% of attacks.

๐Ÿง 

Evidence-based suggestions

When a country or IP shows coordinated attack behaviour, AumaTron suggests a block โ€” with hit counts, unique IPs, and path patterns.

๐Ÿค

HDI-aware thresholds

Developing nations get a higher threshold (5ร— more evidence required) before a block is suggested. Benefit of the doubt for hijacked infrastructure.

๐Ÿ› 

Three lines of code

Express middleware. No DNS changes. No proxy migration. Works with your existing stack. Fails open โ€” your service stays up even if shield is down.

๐Ÿ“Š

Per-site dashboard

Live block stats, top countries, top IPs, top paths. 30-day log retention on Pro. Managed from one place for every service you run.

๐Ÿšจ

AumaTron alerts

Weekly digest of attack activity, instant pings when patterns cross your threshold. No noise โ€” only signals that need a human decision.

Simple pricing

Start free. Upgrade when you need more sites or country blocking. Cancel any time.

Free
$0 forever
For one small service. Path-blocking only.
  • 1 protected site
  • Path-based blocking (30+ patterns)
  • 7-day log retention
  • Country & IP blocking
  • Evidence-based suggestions
  • Priority support
Start free
Pro
$9 /month
For developers with multiple Node services.
  • Unlimited protected sites
  • Path-based blocking (30+ patterns)
  • Country blocking (per site)
  • IP rules (allow / block)
  • Evidence-based suggestions
  • 30-day log retention
Start Pro trial
Team
$29 /month
For agencies and multi-admin teams.
  • Everything in Pro
  • 1-year log retention
  • Webhook alerts (Telegram, Slack)
  • Multiple admin users
  • API access
  • Priority support
Get Team

Frequently asked questions

Everything you'd want to know before signing up.

Does AumaShield Pro work with non-Node.js apps? โ–ผ
Today, the official client library @aumatron/shield-client is Express middleware for Node.js. The underlying /api/v1/check endpoint is a plain HTTP JSON API though โ€” you can call it from PHP, Python, Ruby, Go, or any language in 4 lines of code. We just haven't published official clients for those yet. If enough people want PHP or Python clients, we'll publish them โ€” drop a note in the community forum.
What about static websites or WordPress? โ–ผ
Static sites don't have a server to run middleware, so AumaShield Pro's API-based approach doesn't fit them directly. For WordPress and PHP hosts, the legacy AumaShield app inside AumaTron generates geo-block.php + .htaccess and deploys via FTP โ€” works on any PHP host. For dynamic Node.js apps, use AumaShield Pro.
What's the difference between AumaShield and AumaShield Pro? โ–ผ
AumaShield (bundled in the AumaTron desktop app) โ€” FTP-deploys security rules to static/PHP sites. One user, their own sites, free with AumaTron.

AumaShield Pro (this hosted service) โ€” API-based middleware for Node.js apps. Multi-site dashboard, evidence-based suggestions, tiered pricing.

They complement each other โ€” PHP site? Use the original. Node app? Use Pro.
Can I self-host AumaShield Pro? โ–ผ
Yes. The aumashield-pro server code is available โ€” clone the repo, run it on your own VPS, point your shield-client middleware at your own URL. No subscription needed. The hosted tier is for people who don't want to run their own infrastructure. Both paths get the same features.
Do I need to change my DNS or use a proxy? โ–ผ
No. Your app connects to AumaShield via outbound HTTPS โ€” AumaShield isn't in front of your traffic, it's called from inside your app. Your existing DNS, SSL, and hosting stay unchanged. This is the main difference from Cloudflare: no DNS migration, no "nameservers at Cloudflare," no third-party in the request path.
What happens if AumaShield is down? โ–ผ
The shield-client middleware fails open by default โ€” your app keeps serving traffic (unprotected) until AumaShield recovers. Your service never goes down because of us. You can flip to failOpen: false in config if you prefer security over availability.
How much latency does it add? โ–ผ
~0ms on cache hits (which is 99%+ of requests after warmup โ€” the client caches per-IP decisions for 5 minutes in memory). <10ms on cache miss โ€” one HTTP call to the shield service. Your app doesn't wait for country lookups; those happen asynchronously in the shield's own cache.
What countries are blocked by default? โ–ผ
None. AumaShield Pro starts open and restricts based on evidence you approve. The only defaults are 5 sanctioned states (North Korea, Iran, Syria, Libya, Cuba) โ€” blocked because trade restrictions and payment-processor rules make supporting traffic from them a legal risk, not a security one.
How do evidence-based suggestions actually work? โ–ผ
Every hour, AumaShield Pro scans the 24-hour block log on each of your sites. If a country crosses 50+ blocked requests from multiple unique IPs (or 250+ for low-HDI countries โ€” benefit of the doubt), a suggestion appears in your dashboard with the evidence. You approve or dismiss. Nothing auto-blocks at the country level. Single-IP attackers get flagged at 100+ blocks in 24h.
Can I cancel? Any refunds? โ–ผ
Cancel any time from the Stripe billing portal (linked in your dashboard). Your Pro/Team features stay active until the end of your billing period, then you downgrade to Free. No refunds for partial months โ€” but no contracts either, cancel whenever. Your sites and API keys keep working on the Free tier.
What happens to my logs when I downgrade? โ–ผ
Each tier has a log retention window: Free = 7 days, Pro = 30 days, Team = 365 days. When you downgrade, we don't delete logs immediately โ€” they get trimmed to match your new tier's window on the next daily cleanup. You can always export recent logs via the dashboard before downgrading.
Does it work with Cloudflare, nginx, or other proxies? โ–ผ
Yes. If your app is behind Cloudflare, nginx, or any reverse proxy, set trustProxy: true (the default) in the shield-client config. The middleware reads the real visitor IP from X-Forwarded-For and CF-Connecting-IP headers. No extra setup required โ€” it just works.
Where is my data stored? Is it GDPR-compliant? โ–ผ
Servers run on a UK-based VPS. We store: blocked IPs (for analytics), blocked-country config per site, your email (for sign-in), Stripe customer ID (for billing). We do not log allowed requests. We never sell or share customer data. GDPR-compliant under the legitimate-interest basis for security logging. Full privacy policy at aumatron.com/privacy.