Rokad
Back to work
Application securityLive and maintained

Dhal

An open-source, application-native web application firewall for Node.js APIs with route-aware controls, observability, and a stable v1 contract.

Category

Application security

Status

Live and maintained

Year

2026

Rokad role

Product strategy, security engineering, documentation, maintenance

Rokad workLive and maintained

The product

Dhal is an open-source, application-native web application firewall and request-security middleware for Node.js. It runs inside the application request path, where route, identity, body, response, and operational context are available.

It is designed to complement edge, CDN, network, authentication, authorization, validation, and infrastructure controls—not replace them.

The engineering problem

External security layers can stop broad classes of malicious traffic, but often lack the context required to distinguish one application route, user, tenant, API key, request body, or business action from another.

Dhal brings deterministic controls closer to the application while preserving a monitor-first rollout model and production evidence for every enforcement decision.

Core capabilities

  • Express, Fastify, raw node:http, and core-engine integrations.
  • Route-aware policy and operating modes.
  • IP controls, reputation, rate limiting, and shared Redis or Valkey counters.
  • SQL injection, XSS, traversal, SSRF, RCE, SSTI, probe, and API-security controls.
  • Bot, automation, honeypot, and credential-stuffing detection.
  • Identity-aware enforcement using user, tenant, route, IP, and API-key context.
  • Structured events, signed telemetry, OpenTelemetry integration, and replay testing.
  • Diagnostics, readiness checks, compatibility metadata, SBOMs, and release artifacts.

Controlled adoption

Dhal starts safely in monitor mode. Teams can inspect wouldBlock decisions, tune route profiles and suppressions, validate latency and false positives, and then enable blocking selectively on higher-risk routes.

This approach keeps security rollout observable and reversible instead of forcing an immediate all-or-nothing switch.

Stable v1

The public v1 release established a frozen compatibility contract, lifecycle controls, distributed stores, diagnostics, signed telemetry, supply-chain artifacts, and production documentation.

The roadmap continues with additional framework adapters, OpenAPI inspection, resource budgets, rule bundles, metrics, Redis resilience, and optional cloud-connected capabilities.

Role within Rokad

Dhal is both a maintained public security product and a practical expression of Rokad's application-security, Node.js, observability, DevSecOps, and production-engineering capability.

Continue through the work

Every project is part of a larger capability system.