Arcjet Shield protects your application against common attacks, including the
OWASP Top 10.
What is Arcjet?Arcjet helps developers protect their apps
in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
Quick start
This guide will show you how to protect your entire
application from common attacks.
1. Install Arcjet
In your project root, run the following command to install the SDK:
2. Set your key
Create a free Arcjet account then follow the
instructions to add a site and get a key. Add it to a .env.local file in your
project root.
Since doesn’t set NODE_ENV for you, you also
need to set ARCJET_ENV in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
Since doesn’t set NODE_ENV for you, you also
need to set ARCJET_ENV in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
Since doesn’t set NODE_ENV for you, you also
need to set ARCJET_ENV in your environment file. This allows Arcjet to accept
a local IP address for development purposes.
3. Protect a route
This example shows how to protect your app with Arcjet Shield.
This creates a global guard that will be
applied to all routes. In a real application, implementing guards or per-route
protections would give you more flexibility. See the reference
guide and the NestJS example
app for how to do this.
Create a file called hooks.server.js in your project (inside src):
Create a file called hooks.server.ts in your project (inside src):
This example shows how to protect your app with Arcjet Shield. You can also use
it in middleware to protect every route, but we’ll start with a single route.
This sets up a simple server with Arcjet configured in the handler:
Create a new route at app/routes/arcjet.tsx with the contents:
4. Start App
Start your app and load http://localhost:3000. Refresh the page and you will
see the requests showing up in the Arcjet dashboard.
Your entire application is protected.
4. Start App
Start your app and load http://localhost:3000. Refresh the page and you will
see the requests showing up in the Arcjet dashboard.
Your entire application is protected.
4. Start app
Start your app and load http://localhost:5173. Refresh the page and you will
see the requests showing up in the Arcjet dashboard.
Your entire application is protected.
4. Start app
4. Start server
4. Start app
5. Simulate a suspicious request
To see Arcjet Shield in action, try making a request with the special header
x-arcjet-suspicious set to true. After 5 requests, Arcjet Shield will be
triggered and will block the request. This simulates the threshold being
reached and is a constant, so you can use it as part of your tests.
After the 5th request, you will see this in your logs:
The final conclusion is ALLOW even though the rule result conclusion is
DENY. This is because the rule is in dry run mode. Switch it to LIVE mode to
actually block the request.
After the 5th request, you will see this in your logs:
The final conclusion is ALLOW even though the rule result conclusion is
DENY. This is because the rule is in dry run mode. Switch it to LIVE mode to
actually block the request.
After the 5th request, you will see this in your logs:
The final conclusion is ALLOW even though the rule result conclusion is
DENY. This is because the rule is in dry run mode. Switch it to LIVE mode to
actually block the request.
After the 5th request, you will see this in your logs:
The final conclusion is ALLOW even though the rule result conclusion is
DENY. This is because the rule is in dry run mode. Switch it to LIVE mode to
actually block the request.
The default response for a blocked request is a 403 Forbidden which you will see
when you make the 6th request:
The default response for a blocked request is a 403 Forbidden which you will see
when you make the 6th request:
No, Arcjet handles all the infrastructure for you so you don't need to
worry about deploying global Redis clusters, designing data structures to
track rate limits, or keeping security detection rules up to date.
What is the performance overhead?
Arcjet SDK tries to do as much as possible asynchronously and locally to
minimize latency for each request. Where decisions can be made locally or
previous decisions are cached in-memory, latency is usually <1ms.
When a call to the Arcjet API is required, such as when tracking a
rate limit in a serverless environment, there is some additional latency
before a decision is made. The Arcjet API has been designed for high
performance and low latency, and is deployed to multiple regions around the
world. The SDK will automatically use the closest region which means the
total overhead is typically no more than 20-30ms, often significantly less.
What happens if Arcjet is unavailable?
Where a decision has been cached locally e.g. blocking a client, Arcjet
will continue to function even if the service is unavailable.
If a call to the Arcjet API is needed and there is a network problem or
Arcjet is unavailable, the default behavior is to fail open and allow
the request. You have control over how to handle errors, including choosing
to fail close if you prefer. See the reference docs for details.
How does Arcjet protect me against DDoS attacks?
Network layer attacks tend to be generic and high volume, so these are
best handled by your hosting platform. Most cloud providers include network
DDoS protection by default.
Arcjet sits closer to your application so it can understand the context.
This is important because some types of traffic may not look like a DDoS
attack, but can still have the same effect. For example, a customer making
too many API requests and affecting other customers, or large numbers of
signups from disposable email addresses.
Network-level DDoS protection tools find it difficult to protect against
this type of traffic because they don't understand the structure of your
application. Arcjet can help you to identify and block this traffic by
integrating with your codebase and understanding the context of the
request e.g. the customer ID or sensitivity of the API route.
Volumetric network attacks are best handled by your hosting provider.
Application level attacks need to be handled by the application. That's
where Arcjet helps.
What next?
Arcjet can be used with specific rules on individual routes or as general
protection on your entire application. You can customize bot protection, rate
limiting for your API and minimize fraudulent registrations with the signup form
protection.