Testing Arcjet
Unlike network-based security solutions, Arcjet can run locally, in staging and in production. This makes it easy to test your security rules before deploying them.
You can also automate testing against your Arcjet-projected routes using standard testing libraries.
Testing using Newman
Newman is an open source command-line collection runner for Postman. It allows you to define requests in Postman format and run them from the command line without requiring Postman itself.
You can find our full example of how to test Arcjet with Express and Newman on GitHub. The key files are:
index.js
is a simple Express server that uses Arcjet to protect several routes. This is the application being tested.tests/api.test.js
is the test runner which loads the test definitions, executes them with Newman, and then asserts the expected results.- The
tests/bots.json
,tests/high-rate-limit.json
, andtests/low-rate-limit.json
files define the test requests in Postman Collection format.
The example
README
explains how to start the test application and then execute the tests using
Newman.
To adapt these to your own application you would modify the tests/*.json
files
to point to your application endpoints, and then run them using the Newman CLI.
This allows you to automate testing and run multiple iterations e.g. to test a
rate limit.
Testing triggering rules
Arcjet runs the same in production as locally. This ensures that the behavior you see in development is the same as in production. However, there are ways to trigger the different rules.
- Shield: Send 5 requests with the special header
x-arcjet-suspicious: true
to trigger the shield rule on the next request. - Rate limiting: Make more requests than the rate limit allows.
- Bot protection: Bot detection uses multiple heuristics so the quickest way
to get a bot detection
DENY
response is to make a request that is always considered a bot. With a deny rule set toCURL
you should see aDENY
response if you make a request using thecurl
command. See Identifying Bots for more information. - Email validation: Use an email address that has invalid syntax or does not match any other rules you have configured e.g. has no MX records or if from a disposable email service.
Sampling
Arcjet is designed to run on every request. When testing your rules, you can use
DRY_RUN
mode to see how your rules would behave without actually enforcing
them. The result will be logged, but all requests will be allowed. This is useful
for testing your rules without affecting your users.
You can also write a simple sampling function to set the Arcjet rules using
withRule
based on a desired sample rate. This allows you to test your rules on
a subset of your traffic.
This Next.js middleware example shows how to trigger Arcjet Shield and bot detection rules in live mode on 10% of your traffic.