Arcjet NestJS example app

Arcjet helps developers protect their apps in just a few lines of code. Bot detection. Rate limiting. Email validation. Attack protection. Data redaction. A developer-first approach to security.

This is an example NestJS application demonstrating the use of multiple features.

Features

• Bot protection shows how a page can be protected from automated clients.
• Rate limiting shows the use of different rate limit configurations depending on the authenticated user. A logged-in user can make more requests than an anonymous user.
• Signup form protection uses Arcjet's server-side email verification configured to block disposable providers and ensure that the domain has a valid MX record. It also includes rate limiting and bot protection to prevent automated abuse.
• Sensitive info protects against clients sending you sensitive information such as PII that you do not wish to handle.
• Attack protection demonstrates Arcjet Shield, which detects suspicious behavior such as SQL injection and cross-site scripting attacks.

Deploy it now

   

Run locally

1. Register for a free Arcjet account.

2. Install dependencies:

npm ci

3. Rename .env.local.example to .env.local and add your Arcjet key.

4. Start the dev server

npm run start

Try it out

NestJS is a server-side framework, so you won't see much in the browser. Here are some API routes to try:

Bot protection

The /bots route uses a guard to protect the controller. All automated clients will receive a 403 response. curl is considered an automated client by default, so you can test it with:

curl -v http://localhost:3000/bots

The /bots-advanced route returns a more customized response:

curl -v http://localhost:3000/bots-advanced

Rate limiting

The /rate-limit route uses a fixed window rate limit. Send 3 requests in quick succession to see the rate limit in action:

curl -v http://localhost:3000/rate-limiting

The /rate-limit-advanced route uses a token bucket rate limit with a customized response. Send 3 requests in quick succession to see it working:

curl -v http://localhost:3000/rate-limiting-advanced

Signup form protection

The /signup route uses Arcjet's signup form protection which combines bot protection, rate limiting, and email verification. To test it, send a POST request with different email addresses to test:

curl -v http://localhost:3000/signup \
  -X POST \
  --data "email=invalid.@arcjet"

Try these emails to see how it works:

• invalid.@arcjet – is an invalid email address.
• [email protected] – is from a disposable email provider.
• [email protected] – is a valid email address & domain, but has no MX records.

Sensitive info

The /sensitive-info route uses a guard to protect the controller. It will block requests containing credit card numbers:

curl -v http://localhost:3000/sensitive-info \
  -H "Content-Type: text/plain" \
  -X POST \
  --data "Hello my credit card is 4111111111111111"

The /sensitive-info-advanced route returns a more customized response:

curl -v http://localhost:3000/sensitive-info-advanced \
  -H "Content-Type: text/plain" \
  -X POST \
  --data "Hello my credit card is 4111111111111111"

Attack protection

The /attack route uses Arcjet Shield to detect and block attacks, such as SQL injection and cross-site scripting. To simulate an attack, send a request with the special header:

curl -v http://localhost:3000/attack \
  -H "x-arcjet-suspicious: true"

After the 5th request, your IP will be blocked for 15 minutes. Suspicious requests must meet a threshold before they are blocked to avoid false positives.

Shield is configured as a default rule in the app.module.ts file because you typically want to apply it to every route.

Need help?

Check out the docs, contact support, or join our Discord server.