Zen, your in-app firewall for peace of mind– at runtime.
Zen is an embedded Web Application Firewall that autonomously protects your .NET apps against common and critical attacks.
Zen protects your .NET apps by preventing user input containing dangerous strings, which allow SQL injections. It runs on the same server as your .NET app for easy installation and zero maintenance.
Zen for .NET currently supports onwards of .NET 4.6. The latest tested version is .NET 10.0.
Zen will autonomously protect your .NET applications from the inside against:
- 🛡️ SQL injection attacks
- 🛡️ Path traversal attacks
- 🛡️ Command injection attacks
- 🚧 Server-side request forgery (SSRF)
- 🚧 NoSQL injection attacks
Zen operates autonomously on the same server as your .NET app to:
- ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
- ✅ Rate limit specific API endpoints by IP or by user
- ✅ Allow you to block specific users manually
- ✅ Allow you to block bots and AI scrapers
- ✅ Allow you to allow traffic by ip per endpoint
- ✅ Allow you to bypass the firewall by ip
- ✅ Geo-fencing to block or allow a selection of countries
- ✅ ASP.NET Core 6.0
- ✅ ASP.NET Core 7.0
- ✅ ASP.NET Core 8.0
- ✅ ASP.NET Core 9.0
- ✅ ASP.NET Core 10.0
- ✅ ASP.NET Framework 4.6.x
- ✅ ASP.NET Framework 4.7.x
- ✅ ASP.NET Framework 4.8.x
- ✅ Microsoft.Data.SqlClient
- ✅ System.Data.SqlClient
- ✅ System.Data.SqlServerCE (.NET Framework)
- ✅ Microsoft.Data.Sqlite
- ✅ MySql.Data.MySqlClient
- ✅ MySqlConnector
- ✅ Npgsql
- ✅ MySqlX
- ✅ NPoco
- ✅ EF Core
Ensure that your project runs on .NET Core 6, 7, 8, 9 or 10. Additionally, your application must use endpoint routing (UseRouting) so Zen Firewall can resolve route information correctly. Legacy routing middleware such as UseMvc is not supported. See the ASP.NET Core migration guide here.
- Install the package from NuGet:
dotnet add package Aikido.Zen.DotNetCore- Configure your Aikido token with secure configuration providers (recommended):
For local development, use .NET Secret Manager:
dotnet user-secrets init
dotnet user-secrets set "Aikido:AikidoToken" "<YOUR-TOKEN-HERE>"For deployment, use environment variables:
AIKIDO_TOKEN=<YOUR-TOKEN-HERE>Avoid storing real tokens in appsettings.json or appsettings.Development.json (especially in source control). If you use a cloud secret store, see:
If you are using a startup class, you can add the following to your Startup.cs file:
public void ConfigureServices(IServiceCollection services)
{
// other services
services.AddZenFirewall();
// other services
}
public void Configure(IApplicationBuilder app)
{
// other middleware
// app.UseRouting()
app.UseZenFirewall(); // place this after UseRouting, or after authorization, but high enough in the pipeline to catch all requests
// other middleware like app.UseEndpoints() or app.MapControllers() need to come after UseZenFirewall
}You can also set the user in your custom middleware, if you would like to block users by their identity.
// ...
using Aikido.Zen.DotNetCore;
using Microsoft.AspNet.Identity;
// ...
// add routing
.UseRouting()
// authorize users
.Use((context, next) =>
{
// unique id for the user
var id = context.User?.Identity?.GetUserId();
// name for the user, can be same as id
var name = context.User?.Identity?.Name;
if (!string.IsNullOrEmpty(id))
Zen.SetUser(id, name, context);
return next();
})
// add Zen middleware
.UseZenFirewall(); // place this after UseRouting, or after authorization, but high enough in the pipeline to catch all requests
// other middleware like UseEndpoints() or MapControllers() need to come after UseZenFirewallEnsure that your project runs on .NET Framework 4.6 or higher.
- Install the package from NuGet:
dotnet add package Aikido.Zen.DotNetFrameworkor
Install-Package Zen.Aikido.DotNetFramework- To add the Aikido token in the Web.config file, follow these steps:
- Open your
Web.configfile. - Locate the
<appSettings>section. - Add the following key-value pair within the
<appSettings>section:
<add key="Aikido:AikidoToken" value="your-api-key" />- in your Global.asax.cs file, add the following:
protected void Application_Start()
{
// other code
Zen.Start();
}if you are using OWIN, you can add the following to your Startup.cs file:
public void Configuration(IAppBuilder app)
{
// other code
Zen.Start();
}- Zen needs to run for all requests to properly detect attacks. This can be enforced in
Web.configas such:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>- If you would like to block users by their identity, you can pass in a function to set the user, in your Global.asax.cs file.
public void Application_Start()
{
// other code
// userId should be unique
// userName is optional
// context.User.Identity.GetUserId() and .Name are available to use when authentication is implemented
Zen.SetUser(context => new User(userId, userName));
Zen.Start();
}- If using OWIN, you can add the following to your
Startup.csfile:
// ...
using Aikido.Zen.DotNetFramework;
using Aikido.Zen.Core;
using Microsoft.AspNet.Identity;
// ...
public void Configuration(IAppBuilder app)
{
// other code
// set the user:
// userId should be unique eg. User.Identity.GetUserId()
// userName is optional eg. context.User.Identity.Name
Zen.SetUser(context => new User(context.User.Identity.GetUserId(), context.User.Identity.Name));
Zen.Start();
}- Troubleshooting — common issues and how to debug Zen
- Azure Key Vault — using Azure Key Vault with Zen
- AWS Secrets Manager — using AWS Secrets Manager with Zen
- Set the current user — identify users for rate limiting, blocking, and attack reports
Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.
Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.
You can use some of Zen’s features without Aikido, of course. Peace of mind is just a few lines of code away.
But you will get the most value by reporting your data to Aikido.
You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.
Here's how:
- Log in to your Aikido account.
- Go to Zen.
- Go to apps.
- Click on Add app.
- Choose a name for your app.
- Click Generate token.
- Copy the token.
- Set the token as the environment variable
AIKIDO_TOKEN
By default, Zen will only detect and report attacks to Aikido.
To block requests, set the AIKIDO_BLOCK environment variable to true.
See Reporting to Aikido to learn how to send events to Aikido.
Configure Zen using environment variables for authentication, mode settings, debugging, and more.
This program is offered under a commercial and under the AGPL license. You can be released from the requirements of the AGPL license by purchasing a commercial license. Buying such a license is mandatory as soon as you develop commercial activities involving the Zen software without disclosing the source code of your own applications.
For more information, please contact Aikido Security at this address: support@aikido.dev or create an account at https://app.aikido.dev.
See CODE_OF_CONDUCT.md for more information.
Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
See SECURITY.md for more information.