Home
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. It supports npm, PyPI, Maven, Go modules, RubyGems, Cargo, and NuGet registries.
 |
Experimental: This software is in beta and still undergoing regular changes. Additionally, use of this software requires a paid license; please contact Socket sales if you're interested in evaluating Socket Firewall. |
| Ecosystem | Package Manager | Wrapper Mode | Service Mode - HTTP | Service Mode - HTTPS |
|---|---|---|---|---|
| JavaScript/TypeScript | npm | ✅ | ✅ | ✅ |
| JavaScript/TypeScript | yarn | ✅ | ✅ | ✅ |
| JavaScript/TypeScript | pnpm | ✅ | ✅ | ✅ |
| Python | uv | ✅ | ✅ | ✅ |
| Python | pip | ✅ | ✅ | ✅ |
| Python | Poetry | ❌ (1) | ❌ (1) | ❌ (1) |
| Go | Go Modules | ✅ | ✅ | ✅ |
| Java | Maven | ❌ (2) | ✅ | ❌ (3) |
| Java | Gradle | ❌ (2) | ✅ | ❌ (3) |
| Ruby | gem | ✅ | ✅ | ❌ (4) |
| Ruby | Bundler | ✅ | ✅ | ❌ (4) |
| Rust | Cargo | ✅ | ✅ | ❌ (5) |
| .NET | NuGet | ✅ | ✅ | ✅ |
Download the latest sfw binaries from the releases page. We provide builds for:
- Linux (Intel/AMD)
- macOS (Intel)
- macOS (Apple Silicon)
- Windows
- Wrapper Mode - Run package manager commands through the proxy with automatic configuration
- Server and Client Setup
- Service Setup - Run Socket Firewall as a persistent service
- Client Setup - Configure clients to use the Socket Firewall proxy
- Poetry has issues utilizing a proxy for package management requests. Poetry is not supported at this time.
- Unfortunately, Maven and Gradle require manual editing of configuration files in order to configure a proxy. For that reason, they are unsupported by
sfwrunning in wrapper mode. - Maven and Gradle rely on a HTTP library that does not support TLS for HTTP proxy connections (the Socket Firewall URL). However, HTTPS to the destination is supported. It is recommended to configure this for on-prem, where per-request Socket Firewall configuration can be sent unencrypted in the initial CONNECT without security concerns.
- Maven and Gradle rely on a HTTP library that does not support TLS for HTTP proxy connections (the Socket Firewall URL). However, HTTPS to the destination is supported. It is recommended to that Ruby users should interact with Socket Firewall through the CLI wrapper or via an on-prem service instance.
- Cargo has trouble interacting with a TLS-encrypted proxy. Traffic sent to and received by the remote registry will be encrypted, but initial per-request Socket Firewall config may be sent unencrypted. We recommend Cargo users to use the CLI wrapper or an on-prem HTTP service instance.