Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mf2.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

@repo/security protects your app with bot detection, rate limiting, and DDoS protection through Arcjet. Secure HTTP headers come from Nosecone.

Usage

Apply security rules in middleware:
apps/app/middleware.ts
import { secure } from "@repo/security";

export default secure({
  rateLimit: {
    max: 100,
    window: "1m",
  },
  botProtection: true,
});

Rate Limiting

Lock down specific routes:
apps/api/routes/auth.ts
import { rateLimit } from "@repo/security";

const limiter = rateLimit({
  max: 5,
  window: "15m",
});

export async function POST(request: Request) {
  const decision = await limiter.protect(request);

  if (decision.isDenied()) {
    return new Response("Too many requests", { status: 429 });
  }

  // Handle request
}

Secure Headers

Nosecone sets Content-Security-Policy, X-Frame-Options, and other headers on all responses:
apps/app/middleware.ts
import { withSecureHeaders } from "@repo/security";

export default withSecureHeaders({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
    },
  },
});

Environment Variables

See Environment Variables — Security.

Learn More