Skip to content

Testing Arcjet

Unlike network-based security solutions, Arcjet can run locally, in staging and in production. This makes it easy to test your security rules before deploying them.

You can also automate testing against your Arcjet-projected routes using standard testing libraries.

Testing using Newman

Newman is an open source command-line collection runner for Postman. It allows you to define requests in Postman format and run them from the command line without requiring Postman itself.

You can find our full example of how to test Arcjet with Express and Newman on GitHub. The key files are:

The example README explains how to start the test application and then execute the tests using Newman.

To adapt these to your own application you would modify the tests/*.json files to point to your application endpoints, and then run them using the Newman CLI. This allows you to automate testing and run multiple iterations e.g. to test a rate limit.

Testing triggering rules

Arcjet runs the same in production as locally. This ensures that the behavior you see in development is the same as in production. However, there are ways to trigger the different rules.

  • Shield: Send 5 requests with the special header x-arcjet-suspicious: true to trigger the shield rule on the next request.
  • Rate limiting: Make more requests than the rate limit allows.
  • Bot protection: Bot detection uses multiple heuristics so the quickest way to get a bot detection DENY response is to make a request that is always considered a bot. With a deny rule set to CURL you should see a DENY response if you make a request using the curl command. See Identifying Bots for more information.
  • Email validation: Use an email address that has invalid syntax or does not match any other rules you have configured e.g. has no MX records or if from a disposable email service.

Sampling

See the Sampling Blueprint to see how to write a sampling function to test your Arcjet security rules on a subset of your traffic.

Discussion