Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
This is an example NestJS application demonstrating the use of multiple features.
- Bot protection shows how a page can be protected from automated clients.
- Rate limiting shows the use of different rate limit configurations depending on the authenticated user. A logged-in user can make more requests than an anonymous user.
- Signup form protection uses Arcjet's server-side email verification configured to block disposable providers and ensure that the domain has a valid MX record. It also includes rate limiting and bot protection to prevent automated abuse.
- Sensitive info protects against clients sending you sensitive information such as PII that you do not wish to handle.
- Attack protection demonstrates Arcjet Shield, which detects suspicious behavior such as SQL injection and cross-site scripting attacks.
-
Install dependencies:
npm ci-
Rename
.env.local.exampleto.env.localand add your Arcjet key. -
Start the dev server
npm run startNestJS is a server-side framework, so you won't see much in the browser. Here are some API routes to try:
The /bots route uses a guard to protect the controller. All automated clients
will receive a 403 response. curl is considered an automated client by
default, so you can test it with:
curl -v http://localhost:3000/botsThe /bots-advanced route returns a more customized response:
curl -v http://localhost:3000/bots-advancedThe /rate-limit route uses a fixed window rate limit. Send 3 requests in quick
succession to see the rate limit in action:
curl -v http://localhost:3000/rate-limitingThe /rate-limit-advanced route uses a token bucket rate limit with a
customized response. Send 3 requests in quick succession to see it working:
curl -v http://localhost:3000/rate-limiting-advancedThe /signup route uses Arcjet's signup form protection which combines bot
protection, rate limiting, and email verification. To test it, send a POST
request with different email addresses to test:
curl -v http://localhost:3000/signup \
-X POST \
--data "email=invalid.@arcjet"Try these emails to see how it works:
invalid.@arcjet– is an invalid email address.test@0zc7eznv3rsiswlohu.tk– is from a disposable email provider.nonexistent@arcjet.ai– is a valid email address & domain, but has no MX records.
The /sensitive-info route uses a guard to protect the controller. It will
block requests containing credit card numbers:
curl -v http://localhost:3000/sensitive-info \
-H "Content-Type: text/plain" \
-X POST \
--data "Hello my credit card is 4111111111111111"The /sensitive-info-advanced route returns a more customized response:
curl -v http://localhost:3000/sensitive-info-advanced \
-H "Content-Type: text/plain" \
-X POST \
--data "Hello my credit card is 4111111111111111"The /attack route uses Arcjet Shield to detect and block attacks, such as SQL
injection and cross-site scripting. To simulate an attack, send a request with
the special header:
curl -v http://localhost:3000/attack \
-H "x-arcjet-suspicious: true"After the 5th request, your IP will be blocked for 15 minutes. Suspicious requests must meet a threshold before they are blocked to avoid false positives.
Shield is configured as a default rule in the app.module.ts file because you
typically want to apply it to every route.
Check out the docs, contact support, or join our Discord server.
All development for Arcjet examples is done in the
arcjet/examples repository.
You are welcome to open an issue here or in
arcjet/examples directly.
However, please direct all pull requests to
arcjet/examples. Take a look at
our
contributing guide
for more information.