Arcjet Sensitive Information Detection protects against clients sending you sensitive information such as personally identifiable information (PII) that you do not wish to handle.
What is Arcjet?
Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.Quick start
This guide will show you how to configure Arcjet for a
1. Install Arcjet
In your project root, run the following command to install the SDK:
bun add @arcjet/bun
npm i @arcjet/nest
pnpm add @arcjet/nest
yarn add @arcjet/nest
npm i @arcjet/next
pnpm add @arcjet/next
yarn add @arcjet/next
npm i @arcjet/node
pnpm add @arcjet/node
yarn add @arcjet/node
npm i @arcjet/remix
pnpm add @arcjet/remix
yarn add @arcjet/remix
npm i @arcjet/sveltekit
pnpm add @arcjet/sveltekit
yarn add @arcjet/sveltekit
2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key. Add it to a .env.local
file in your
project root.
ARCJET_KEY=ajkey_yourkey
ARCJET_KEY=ajkey_yourkey
ARCJET_KEY=ajkey_yourkey
Since NODE_ENV
for you, you also
need to set ARCJET_ENV
in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkey
Since NODE_ENV
for you, you also
need to set ARCJET_ENV
in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkey
Since NODE_ENV
for you, you also
need to set ARCJET_ENV
in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
# NODE_ENV is not set automatically, so tell Arcjet we're in dev# You can leave this unset in prodARCJET_ENV=development# Get your site key from https://app.arcjet.comARCJET_KEY=ajkey_yourkey
3. Protect a route
Create a sensitive info detection rule. You can also configure Arcjet to detect credit/debit card numbers, IP addresses, phone numbers, and/or implement a custom detection function. See the reference for details.
import arcjet, { sensitiveInfo } from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied()) { return new Response("Bad request - sensitive information detected", { status: 400, }); }
return new Response("Hello world"); }),};
import arcjet, { sensitiveInfo } from "@arcjet/bun";import { env } from "bun";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export default { port: 3000, fetch: aj.handler(async (req) => { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied()) { return new Response("Bad request - sensitive information detected", { status: 400, }); }
return new Response("Hello world"); }),};
import arcjet, { sensitiveInfo } from "@arcjet/node";import http from "node:http";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. key: process.env.ARCJET_KEY, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
const server = http.createServer(async function (req, res) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied()) { res.writeHead(400, { "Content-Type": "application/json" }); res.end( JSON.stringify({ error: "Bad request - sensitive information detected" }), ); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);
import arcjet, { sensitiveInfo } from "@arcjet/node";import http from "node:http";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. key: process.env.ARCJET_KEY!, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
const server = http.createServer(async function ( req: http.IncomingMessage, res: http.ServerResponse,) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied()) { res.writeHead(400, { "Content-Type": "application/json" }); res.end( JSON.stringify({ error: "Bad request - sensitive information detected" }), ); } else { res.writeHead(200, { "Content-Type": "application/json" }); res.end(JSON.stringify({ message: "Hello world" })); }});
server.listen(8000);
Create a new API route at /src/routes/api/arcjet/+server.js
:
import { env } from "$env/dynamic/private";import arcjet, { sensitiveInfo } from "@arcjet/sveltekit";import { error } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY, // Get your site key from https://app.arcjet.com rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export async function handle({ event, resolve }) { const decision = await aj.protect(event); console.log("Arcjet decision", decision);
if (decision.isDenied()) { return error(400, "Bad request - sensitive information detected"); }
return resolve(event);}
Create a new API route at /src/routes/api/arcjet/+server.ts
:
import { env } from "$env/dynamic/private";import arcjet, { sensitiveInfo } from "@arcjet/sveltekit";import { error, type RequestEvent } from "@sveltejs/kit";
const aj = arcjet({ key: env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export async function handle({ event, resolve,}: { event: RequestEvent; resolve: (event: RequestEvent) => Response | Promise<Response>;}): Promise<Response> { const decision = await aj.protect(event); console.log("Arcjet decision", decision);
if (decision.isDenied()) { return error(400, "Bad request - sensitive information detected"); }
return resolve(event);}
This creates a global guard that will be applied to all routes. In a real application, implementing guards or per-route protections would give you more flexibility. See the reference guide and the NestJS example app for how to do this.
import { ArcjetGuard, ArcjetModule, sensitiveInfo } from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY!, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule {}
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();
import { ArcjetGuard, ArcjetModule, sensitiveInfo } from "@arcjet/nest";import { Module } from "@nestjs/common";import { ConfigModule } from "@nestjs/config";import { APP_GUARD, NestFactory } from "@nestjs/core";
@Module({ imports: [ ConfigModule.forRoot({ isGlobal: true, }), ArcjetModule.forRoot({ isGlobal: true, key: process.env.ARCJET_KEY, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ], }), ], controllers: [], providers: [ { provide: APP_GUARD, useClass: ArcjetGuard, }, ],})class AppModule {}
async function bootstrap() { const app = await NestFactory.create(AppModule); await app.listen(3000);}bootstrap();
Create a new API route at /pages/api/arcjet.js
:
import arcjet, { sensitiveInfo } from "@arcjet/next";
const aj = arcjet({ key: process.env.ARCJET_KEY, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export default async function handler(req, res) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return res.status(400).json({ error: "The request body contains unexpected sensitive information", }); }
res.status(200).json({ name: "Hello world" });}
Create a new API route at /pages/api/arcjet.ts
:
import arcjet, { sensitiveInfo } from "@arcjet/next";import type { NextApiRequest, NextApiResponse } from "next";
const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export default async function handler( req: NextApiRequest, res: NextApiResponse,) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return res.status(400).json({ error: "The request body contains unexpected sensitive information", }); }
res.status(200).json({ name: "Hello world" });}
Create a new API route at /app/api/arcjet/route.ts
:
import arcjet, { sensitiveInfo } from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY!, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export async function POST(req: Request) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return NextResponse.json( { error: "Bad request - sensitive information detected", reason: decision.reason, }, { status: 400, }, ); }
const message = await req.text(); return NextResponse.json({ message: `You said: ${message}` });}
Create a new API route at /app/api/arcjet/route.js
:
import arcjet, { sensitiveInfo } from "@arcjet/next";import { NextResponse } from "next/server";
const aj = arcjet({ key: process.env.ARCJET_KEY, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
export async function POST(req) { const decision = await aj.protect(req); console.log("Arcjet decision", decision);
if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return NextResponse.json( { error: "Bad request - sensitive information detected", reason: decision.reason, }, { status: 400, }, ); }
const message = await req.text(); return NextResponse.json({ message: `You said: ${message}` });}
Create a new route at app/routes/arcjet.tsx
with the contents:
import arcjet, { sensitiveInfo } from "@arcjet/remix";import type { ActionFunctionArgs } from "@remix-run/node";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. key: process.env.ARCJET_KEY!, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
// The action function is called for non-GET requests, which is where you// typically handle form submissions that might contain sensitive information.export async function action(args: ActionFunctionArgs) { const decision = await aj.protect(args); console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isSensitiveInfo()) { return Response.json( { error: "Please don't send personal data." }, { status: 400 }, ); } else { return Response.json({ error: "Forbidden" }, { status: 403 }); } }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}
import arcjet, { sensitiveInfo } from "@arcjet/remix";
const aj = arcjet({ // Get your site key from https://app.arcjet.com // and set it as an environment variable rather than hard coding. key: process.env.ARCJET_KEY, rules: [ // This allows all sensitive entities other than email addresses sensitiveInfo({ mode: "LIVE", // Will block requests, use "DRY_RUN" to log only // allow: ["EMAIL"], Will block all sensitive information types other than email. deny: ["EMAIL"], // Will block email addresses }), ],});
// The action function is called for non-GET requests, which is where you// typically handle form submissions that might contain sensitive information.export async function action(args) { const decision = await aj.protect(args); console.log("Arcjet decision", decision);
if (decision.isDenied()) { if (decision.reason.isSensitiveInfo()) { return Response.json( { error: "Please don't send personal data." }, { status: 400 }, ); } else { return Response.json({ error: "Forbidden" }, { status: 403 }); } }
// We don't need to use the decision elsewhere, but you could return it to // the component return null;}
export default function Index() { return ( <> <h1>Hello world</h1> </> );}
4. Test sending personal info
Start your app and try making a request with an email address in the body of the request:
curl -v http://localhost:3000/api/arcjet --data "My email address is test@example.com"
curl -v http://localhost:3000 --data "My email address is test@example.com"
curl -v http://localhost:3000/api/arcjet --data "My email address is test@example.com"
curl -v http://localhost:8000/api/arcjet --data "My email address is test@example.com"
curl http://localhost:5173/arcjet.data?index --data-raw 'message=test@example.com'
curl -v http://localhost:5173/api/arcjet --data "My email address is test@example.com"
You should see this in your logs
Arcjet decision ArcjetDenyDecision { id: '', // This will contain the Arcjet request ID ttl: 0, results: [ ArcjetRuleResult { ruleId: '', ttl: 0, state: 'RUN', conclusion: 'DENY', reason: [ArcjetSensitiveInfoReason] } ],...
The default response for a request containing unexpected sensitive information is a 400:
< HTTP/2 400< content-type: application/json; charset=utf-8< date: Tue, 09 Jan 2024 13:43:04 GMT< vary: Accept-Encoding< content-length: 72
The requests will also show in the Arcjet dashboard.
FAQs
Do I need to run any infrastructure e.g. Redis?
No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Arcjet API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.
Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.
What next?
Explore
Arcjet can be used with specific rules on individual routes or as general protection on your entire application. You can setup bot protection, rate limiting for your API, minimize fraudulent registrations with the signup form protection and more.
Get help
Need help with anything? Email support@arcjet.com to get support from our engineering team.