Every Prisma developer has a silent risk in their codebase. A single deleteMany() with no where clause wipes an entire table. A findMany() with no limit dumps your entire database to the client. And there's a lesser known attack called operator injection, where an attacker sends { "not": "" } as a password value instead of a plain string, and Prisma accepts it as a valid query operator, bypassing authentication entirely. When tested, Prisma did not block it. prisma-firewall does.
Hey everyone! 👋
I'm Neeraj, a CS student from Singapore.
I built prisma-firewall over 2 days while working on a personal project using Prisma. I kept thinking about how easy it is to make a mistake that causes real damage. A stray deleteMany() with no where clause, a findMany() that dumps your entire database, sensitive fields accidentally returned in a query.
Then I discovered something that really surprised me. There's a vulnerability called operator injection where an attacker sends { "not": "" } as a password value instead of a plain string. Prisma accepts it as a valid query operator and returns the user without ever checking their password. I tested this myself on a real Prisma setup. It went straight through.
That's when I decided to build this properly.
The goal was simple. One line to install, zero changes to your existing queries, runs silently in the background and catches what Prisma misses. A safety net for when things go wrong, because they always do at some point.
Would love to hear feedback from the community, especially if there are security edge cases I haven't covered yet. Happy to answer any questions!
No comment highlights available yet. Please check back later!
About prisma-firewall on Product Hunt
“A security firewall for Prisma”
prisma-firewall was submitted on Product Hunt and earned 1 upvotes and 1 comments, placing #64 on the daily leaderboard. Every Prisma developer has a silent risk in their codebase. A single deleteMany() with no where clause wipes an entire table. A findMany() with no limit dumps your entire database to the client. And there's a lesser known attack called operator injection, where an attacker sends { "not": "" } as a password value instead of a plain string, and Prisma accepts it as a valid query operator, bypassing authentication entirely. When tested, Prisma did not block it. prisma-firewall does.
prisma-firewall was featured in Developer Tools (511k followers), GitHub (41.2k followers), Tech (621.5k followers) and Security (2.6k followers) on Product Hunt. Together, these topics include over 250.3k products, making this a competitive space to launch in.
Who hunted prisma-firewall?
prisma-firewall was hunted by Neeraj L. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
Want to see how prisma-firewall stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.
Neeraj L