Native security for Next.js, Node.js, Bun, SvelteKit, Vercel, Netlify, Fly.io and other modern platforms. Announcing our seed funding led by Andreessen Horowitz.
Developers are often unfairly labeled indifferent to security. While it’s true that developers have a different mindset (build) compared to security (break), the real issue is the lack of good tooling.
There are lots of tools available for writing code - whether it’s static analysis, dependency scanning, or AI assistants - avoiding common security errors is significantly easier than it used to be.
The same can’t be said once your code is in production - forcing developers to do “DevSecOps” has failed. Developers need a set of tools that solve real problems in the way they’re used to - with code.
This is why I founded Arcjet. We’re building a suite of core security components which help developers protect their apps in production.
Native security for Next.js, Node.js, Bun, SvelteKit, Vercel, Netlify, Fly.io and other modern platforms is as simple as dropping in a few lines of code:
import arcjet, { detectBot } from "@arcjet/next";
import { NextRequest, NextResponse } from "next/server";
export const config = {
// matcher tells Next.js which routes to run the middleware on.
// This runs the middleware on all routes except for static assets.
matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
};
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectBot({
mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
// configured with a list of bots to allow from
// https://arcjet.com/bot-list
allow: ["GOOGLE_CRAWLER"], // blocks all bots except Google
}),
],
});
export default async function middleware(request: NextRequest) {
const decision = await aj.protect(request);
// If the deny comes from a bot rule. You can
// customize this logic to fit your needs e.g. checking the IP
// address type or changing the status code.
// See https://docs.arcjet.com
if (decision.isDenied() && decision.reason.isBot()) {
return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
} else {
return NextResponse.next();
}
}Protecting a Next.js application with Arcjet middleware - just one of the developer SDKs supported by Arcjet. Middleware runs on every request, but Arcjet can also be integrated into individual API routes and pages. See the full example app.
From here, developers have the full power of code to customize everything.
Rules are evaluated with the request context so they can dynamically adjust parameters at runtime e.g. by billing plan, user role, database attributes, etc. And the decision can be more than just deny/allow: developers can customize their application logic with the response e.g. flag an account for review, request re-authorization, limit sensitive actions, etc.
Whether you’re getting spam or fraudulent signups, have unwanted AI bots scraping your content, or need to distinguish API traffic between anonymous free users and paying customers, Arcjet helps developers tackle security challenges directly in code.
Today, I’m excited to announce our $3.6 million seed funding led by Zane Lackey at Andreessen Horowitz, previously co-founder of Signal Sciences. Also participating in the round are Seedcamp and a roster of great angels (see the full list below).
Although deploying code has become simpler, production security remains too difficult. The old approach was to rack a physical firewall in front of your servers and filter traffic before it hits your servers. The delivery model changed with the introduction of cloud, but the fundamental approach is still stuck in the past - throw a network filter in front of your app and hope for the best.
The future of security lies closer to the application itself. Network filtering is too generic - it can’t tell the difference between an anonymous user and your largest customer. The network is the right place to defend against volumetric DDoS attacks, but those types of protections are now a commodity offered for free by all major cloud platforms.
Developer-first production security means understanding the context of every request. This requires deep integration with your application, allowing dynamic adjustments based on security signals such as user authentication, pricing plans, IP reputation, and flagging suspicious sign-ups for human review.
Embedding security rules into the application also means they can be tested. If you’ve ever turned on a new security tool then you know the pain of suddenly breaking production because you couldn’t test it locally or on staging!
The following amazing angel investors are also participating in this funding round:
Our first SDK for JavaScript has been in alpha for several months as we refined the API based on developer feedback. We’ll soon be stabilizing the API and graduating the JS SDK to beta. This paves the way for expanding support to other languages, with the Python SDK next in line.
In the coming weeks, we will also introduce new features designed to enhance your application’s security.
For the last few years I’ve been playing with devtools all day every day for the console.dev newsletter, writing about all the amazing innovations developers have been enjoying. Security tooling has been lagging behind, forcing developers to put up with legacy systems detached from their normal workflow and with a sub-par developer experience. I’m excited to be working on changing that!
Start using Arcjet for free - sign up now.
Questions? Feel free to reach out.
Get the full posts by email every week.