Arcjet - StarlightArcjet - Starlight
Security doesn't have to be a painBot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.
$ npm install @arcjet/node 

Integrates with

Native security for modern frameworks
security as code
  • Implement bot protection, rate limiting, email validation & more in just a few lines of code.
  • Customizable protection for forms, login pages, API routes, for all your apps and sites.
  • Don’t break prod. Test security rules locally.
    Protection that works in every environment. Security as code. No agent required.

Tech stack

Defense

Arcjet Shield WAF

Protect your application against common attacks, including the OWASP Top 10.

Read the docs
middleware.ts
// Protect against common attacks e.g. SQL injection, XSS, CSRF
import arcjet, { createMiddleware, shield } from "@arcjet/next";
export const config = {
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
};
const aj = arcjet({
key: process.env.ARCJET_KEY!
rules: [
// Block common attacks e.g. SQL injection, XSS, CSRF
shield({
// Will block requests. Use "DRY_RUN" to log only
mode: "LIVE",
}),
],
});
// Pass existing middleware with optional existingMiddleware prop
export default createMiddleware(aj);

Rate limiting

Bot protection

Email validation

PII detection

Arcjet - Space object

Outsourced security?You might be used to this.

Unversioned, untracked, click-ops rule changes.

Only able to test rule changes in prod.

Deploying agents everywhere.

LATENCY:Provider dependent
?:You're delegating control anywhere a question mark is

Here's how it looks with Arcjet

LEARN MORE Aj ARCHITECTURE
Local-first security
make your appsecurity aware

Security context

Dynamically adjustable rules defined in code. Access the metadata about why a request was allowed or denied and adjust your app logic in real time.

Testable security rules

Native performance with WasmWasm native performanceNative performance

What are devs saying?

LangChain

LangChain

@LangChainAI


“Detect, block, and redact PII locally without sending it to the cloud using Arcjet. Now integrated with LangChain”

MangoAPI

MangoAPI

@mangoapidev


“… @arcjethq for contact form protection on my portfolio! I highly recommend checking them out if you're looking to implement rate limiting or email validation.”

Matt Biilmann

Matt Biilmann

CEO, Netlify


“I've been following their dev centric approach to security features for a while now, and love the ability to compose together Netlify and Arcjet right from the Netlify Dashboard.”

Jacob Lee

Jacob Lee

Founding Software Engineer · Langchain


“A local, JS-first solution to an ongoing problem around sending sensitive information to LLMs.”

Jacob Lee

The JavaScript Dev

TheJSDev


“… newsletter subscription with NextJS, Supabase, Nodemailer, and Arcjet, tackling spam and bot challenges effectively.”

Thatch

Thatch

thatch.ai


“Arcjet has helped us easily invest in the security and efficiency of our platform … Arcjet gives us rich application-level insights at runtime to build security automations in critical parts of our application, from sales to customer onboarding.”

caling Devtools

Scaling Devtools

David Mytton - Arcjet and console.dev

Stack Overflow

Stack Overflow

The Stack Overflow Podcast: David Mytton, CEO of Arcjet

ByteGrad

ByteGrad

Top 11 Security Mistakes in Next.js 15 to Avoid - Don't Leak User Data!

devtools FM

devtools FM

ArcJet - Enhancing Application Security

Use advanced features

LangChain
IP geolocation

Access IP metadata for country, region, timezone, network owner (ASN), etc.

if (decision.ip.city == "San Francisco") {...}
if (decision.ip.region == "California") {...}
if (decision.ip.country == "US") {...}
if (decision.ip.asnType == "business") {...}
LangChain
Payment form protection

Block suspicious transactions before they hit your card processor.

LangChain
VPN & proxy detection

Detect requests coming from VPNs, proxies, Tor, relays, and other anonymizing services.

LangChain
AI quota control

Set dynamic quotas based on token counts and rules based on API keys, session, pricing plan, and other user data.

LangChain
Redact PII

Mask credit cards, emails, phone numbers, IP addresses, & create custom detections.

LangChain
Sampling & testing

Test rules without blocking traffic using Arcjet's DRY_RUN mode. Apply sampling to gradually roll out new rules.

function shouldSampleRequest(sampleRate: number) {
  return Math.random() < sampleRate;
}

function sampleSecurity() {
  const mode = shouldSampleRequest(0.1) ?LIVE:DRY_RUN;
  return aj.withRule(
    shield(
      { mode: mode },
    ),
  ),
}
LangChain
GraphQL

Apply complex and dynamic rate limiting rules within GraphQL endpoints.

LangChain
Everything is code

Define rules dynamically and adjust responses based on the Arcjet security signals with variables, functions, conditionals, and all the power of JS.

Any specific ideas? We can help you set things up

Contact usorJoin our Discord

Get started with Arcjet