Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
This is the monorepo containing various Arcjet open source packages for JS.
Arcjet security features for protecting JS apps:
- 🤖 Bot protection — detect bots, block bad bots, verify legitimate bots, and reduce unwanted automated requests before they reach your application.
- 🛑 Rate limiting — control how many requests a client can make to your application or API over a given period of time.
- 🛡️ Shield WAF — protects your application against common web attacks, including the OWASP Top 10, by analyzing requests over time and blocking clients that show suspicious behavior.
- 📧 Email validation — validate and verify email addresses in your application to reduce spam and fraudulent signups.
- 📝 Signup form protection — combines bot protection, email validation, and rate limiting to protect your signup and lead capture forms from spam, fake accounts, and signup fraud.
- 🕵️‍♂️ Sensitive information — detect and block sensitive data in request bodies before it enters your application. Use it to prevent clients from sending personally identifiable information (PII) and other data you do not want to handle.
- 🎯 Filters — define custom security and traffic rules inside your application code. Use filters to block unwanted traffic based on request fields, IP reputation, geography, VPN or proxy usage, and other signals.
- Astro
- Bun + Hono
- Bun
- Deno
- Fastify
- NestJS
- Next.js
- Node.js + Express
- Node.js + Hono
- Node.js
- Nuxt
- React Router
- Remix
- SvelteKit
Join our Discord server or reach out for support.
- Astro
- Deno
- Express
- FastAPI
- Fastify
- NestJS
- Next.js (try live)
- Nuxt
- React Router
- Remix
- SvelteKit
- Tanstack Start
- AI quota control
- Cookie banner
- Custom rule
- IP geolocation
- Feedback form
- Malicious traffic
- Payment form
- Sampling traffic
- VPN & proxy
Read the docs at docs.arcjet.com.
This example will enable Arcjet bot protection across your entire Next.js application. Next.js middleware runs before every request, allowing Arcjet to protect your entire application before your code runs.
It will return a 403 Forbidden response for all requests from bots not in the allow list.
// middleware.ts
import arcjet, { ArcjetRuleResult, detectBot } from "@arcjet/next";
import { isSpoofedBot } from "@arcjet/inspect";
import { NextRequest, NextResponse } from "next/server";
export const config = {
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
};
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// Block all bots except the following
allow: [
"CATEGORY:SEARCH_ENGINE", // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
],
}),
],
});
export default async function middleware(request: NextRequest) {
const decision = await aj.protect(request);
// Bots not in the allow list will be blocked
if (decision.isDenied()) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
// Arcjet Pro plan verifies the authenticity of common bots using IP data.
// Verification isn't always possible, so we recommend checking the results
// separately.
// https://docs.arcjet.com/bot-protection/reference#bot-verification
if (decision.results.some(isSpoofedBot)) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
return NextResponse.next();
}This simple Node.js server is protected with Arcjet bot protection. It will return a 403 Forbidden response for all requests from bots not in the allow list.
// server.ts
import arcjet, { detectBot } from "@arcjet/node";
import http from "node:http";
const aj = arcjet({
key: process.env.ARCJET_KEY!, // Get your site key from https://app.arcjet.com
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
// Block all bots except the following
allow: [
"CATEGORY:SEARCH_ENGINE", // Google, Bing, etc
// Uncomment to allow these other common bot categories
// See the full list at https://arcjet.com/bot-list
//"CATEGORY:MONITOR", // Uptime monitoring services
//"CATEGORY:PREVIEW", // Link previews e.g. Slack, Discord
],
}),
],
});
const server = http.createServer(async function (
req: http.IncomingMessage,
res: http.ServerResponse,
) {
const decision = await aj.protect(req);
console.log("Arcjet decision", decision);
if (decision.isDenied()) {
res.writeHead(403, { "Content-Type": "application/json" });
res.end(JSON.stringify({ error: "Forbidden" }));
} else {
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ message: "Hello world" }));
}
});
server.listen(8000);We provide the source code for various packages in this repository, so you can find a specific one through the categories and descriptions below.
@arcjet/astro: SDK for Astro.@arcjet/bun: SDK for Bun.@arcjet/deno: SDK for Deno.@arcjet/fastify: SDK for Fastify.@arcjet/nest: SDK for NestJS.@arcjet/next: SDK for Next.js.@arcjet/node: SDK for Node.js.@arcjet/nuxt: SDK for Nuxt.@arcjet/react-router: SDK for React Router.@arcjet/remix: SDK for Remix.@arcjet/sveltekit: SDK for SvelteKit.
See the docs for details.
@nosecone/next: Protect your Next.js application with secure headers.@nosecone/sveltekit: Protect your SvelteKit application with secure headers.nosecone: Protect yourResponsewith secure headers.
@arcjet/analyze: Local analysis engine.@arcjet/body: Extract the body from a stream.@arcjet/cache: Basic cache interface and implementations.@arcjet/decorate: Decorate responses with info.@arcjet/duration: Parse duration strings.@arcjet/env: Environment detection.@arcjet/headers: Extension of the Headers class.@arcjet/inspect: Inspect decisions made by an SDK.@arcjet/ip: Find the originating IP of a request.@arcjet/logger: Lightweight logger which mirrors the Pino structured logger interface.@arcjet/protocol: JS interface into the protocol.@arcjet/redact: Redact & unredact sensitive info from strings.@arcjet/runtime: Runtime detection.@arcjet/sprintf: Platform-independent replacement forutil.format.@arcjet/stable-hash: Stable hashing.@arcjet/transport: Transport mechanisms for the Arcjet protocol.arcjet: JS SDK core.
@arcjet/eslint-config: Custom eslint config for our projects.@arcjet/rollup-config: Custom rollup config for our projects.
This repository follows the Arcjet Support Policy.
This repository follows the Arcjet Security Policy.
Packages maintained in this repository are compatible with maintained versions of Node.js and the current minor release of TypeScript.
The current release line,
@arcjet/* on 1.0.0-beta.*,
is compatible with Node.js 20.
Licensed under the Apache License, Version 2.0.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
