Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
This is an example NestJS application demonstrating the use of multiple features.
- Bot protection shows how a page can be protected from automated clients.
- Rate limiting shows the use of different rate limit configurations depending on the authenticated user. A logged-in user can make more requests than an anonymous user.
- Signup form protection uses Arcjet's server-side email verification configured to block disposable providers and ensure that the domain has a valid MX record. It also includes rate limiting and bot protection to prevent automated abuse.
- Sensitive info protects against clients sending you sensitive information such as PII that you do not wish to handle.
- Attack protection demonstrates Arcjet Shield, which detects suspicious behavior such as SQL injection and cross-site scripting attacks.
-
Install dependencies:
npm ci
-
Rename
.env.local.example
to.env.local
and add your Arcjet key. -
Start the dev server
npm run start
NestJS is a server-side framework, so you won't see much in the browser. Here are some API routes to try:
The /bots
route uses a guard to protect the controller. All automated clients
will receive a 403 response. curl
is considered an automated client by
default, so you can test it with:
curl -v http://localhost:3000/bots
The /bots-advanced
route returns a more customized response:
curl -v http://localhost:3000/bots-advanced
The /rate-limit
route uses a fixed window rate limit. Send 3 requests in quick
succession to see the rate limit in action:
curl -v http://localhost:3000/rate-limiting
The /rate-limit-advanced
route uses a token bucket rate limit with a
customized response. Send 3 requests in quick succession to see it working:
curl -v http://localhost:3000/rate-limiting-advanced
The /signup
route uses Arcjet's signup form protection which combines bot
protection, rate limiting, and email verification. To test it, send a POST
request with different email addresses to test:
curl -v http://localhost:3000/signup \
-X POST \
--data "email=invalid.@arcjet"
Try these emails to see how it works:
invalid.@arcjet
– is an invalid email address.test@0zc7eznv3rsiswlohu.tk
– is from a disposable email provider.nonexistent@arcjet.ai
– is a valid email address & domain, but has no MX records.
The /sensitive-info
route uses a guard to protect the controller. It will
block requests containing credit card numbers:
curl -v http://localhost:3000/sensitive-info \
-H "Content-Type: text/plain" \
-X POST \
--data "Hello my credit card is 4111111111111111"
The /sensitive-info-advanced
route returns a more customized response:
curl -v http://localhost:3000/sensitive-info-advanced \
-H "Content-Type: text/plain" \
-X POST \
--data "Hello my credit card is 4111111111111111"
The /attack
route uses Arcjet Shield to detect and block attacks, such as SQL
injection and cross-site scripting. To simulate an attack, send a request with
the special header:
curl -v http://localhost:3000/attack \
-H "x-arcjet-suspicious: true"
After the 5th request, your IP will be blocked for 15 minutes. Suspicious requests must meet a threshold before they are blocked to avoid false positives.
Shield is configured as a default rule in the app.module.ts
file because you
typically want to apply it to every route.
Check out the docs, contact support, or join our Discord server.