Skip to content

Signup form protection for Node.js

Arcjet signup form protection combines rate limiting, bot protection, and email validation to protect your signup forms from abuse.

What is Arcjet? Arcjet helps developers protect their apps in just a few lines of code. Implement rate limiting, bot protection, email verification & defend against common attacks.

Quick start

This guide will show you how to protect a Node.js signup form.

1. Install SDK

In your project root, run the following command to install the SDK:

Terminal window
npm i @arcjet/node

2. Set your key

Create a free Arcjet account then follow the instructions to add a site and get a key. Add it to a .env.local file in your project root:


3. Protect a form

Arcjet signup form protection is a combination of the rate limiting, bot protection, and email validation primitives. These are configured using our recommended rules.

The example below is a simple email form that submits to an API route. You could adapt this as part of a signup form.

import arcjet, { protectSignup } from "@arcjet/node";
import express from "express";
const app = express();
const port = 3000;
app.use(express.urlencoded({ extended: false }));
const aj = arcjet({
// Get your site key from and set it as an environment
// variable rather than hard coding.
key: process.env.ARCJET_KEY!,
rules: [
email: {
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// Block emails that are disposable, invalid, or have no MX records
bots: {
mode: "LIVE",
// Block clients that we are sure are automated
block: ["AUTOMATED"],
// It would be unusual for a form to be submitted more than 5 times in 10
// minutes from the same IP address
rateLimit: {
// uses a sliding window rate limit
mode: "LIVE",
interval: "10m", // counts requests over a 10 minute sliding window
max: 5, // allows 5 submissions within the window
});"/", async (req, res) => {
const email =;
const decision = await aj.protect(req, { email });
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
if (decision.reason.isEmail()) {
// If the email is invalid then return an error message
res.writeHead(400, { "Content-Type": "application/json" });
JSON.stringify({ error: "Invalid email", reason: decision.reason }),
} else {
// We get here if the client is a bot or the rate limit has been exceeded
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello World", email }));
app.listen(port, () => {
console.log(`Example app listening on port ${port}`);

4. Start server

Terminal window
npx tsx --env-file .env.local index.ts

Make a curl POST request from your terminal to your application with various emails to test the result.

Terminal window
curl -X POST -d '' http://localhost:3000/

The requests will also show up in the Arcjet dashboard.


Do I need to run any infrastructure e.g. Redis?

No, Arcjet handles all the infrastructure for you so you don't need to worry about deploying global Redis clusters, designing data structures to track rate limits, or keeping security detection rules up to date.

What is the performance overhead?

Arcjet SDK tries to do as much as possible asynchronously and locally to minimize latency for each request. Where decisions can be made locally or previous decisions are cached in-memory, latency is usually <1ms.

When a call to the Arcjet API is required, such as when tracking a rate limit in a serverless environment, there is some additional latency before a decision is made. The Arcjet API has been designed for high performance and low latency, and is deployed to multiple regions around the world. The SDK will automatically use the closest region which means the total overhead is typically no more than 20-30ms, often significantly less.

What happens if Arcjet is unavailable?

Where a decision has been cached locally e.g. blocking a client, Arcjet will continue to function even if the service is unavailable.

If a call to the Arcjet API is needed and there is a network problem or Arcjet is unavailable, the default behavior is to fail open and allow the request. You have control over how to handle errors, including choosing to fail close if you prefer. See the reference docs for details.

How does Arcjet protect me against DDoS attacks?

Network layer attacks tend to be generic and high volume, so these are best handled by your hosting platform. Most cloud providers include network DDoS protection by default.

Arcjet sits closer to your application so it can understand the context. This is important because some types of traffic may not look like a DDoS attack, but can still have the same effect. For example, a customer making too many API requests and affecting other customers, or large numbers of signups from disposable email addresses.

Network-level DDoS protection tools find it difficult to protect against this type of traffic because they don't understand the structure of your application. Arcjet can help you to identify and block this traffic by integrating with your codebase and understanding the context of the request e.g. the customer ID or sensitivity of the API route.

Volumetric network attacks are best handled by your hosting provider. Application level attacks need to be handled by the application. That's where Arcjet helps.

What next?

Get help

Need help with anything? Email us or join our Discord to get support from our engineering team.