Getting started

Quick start

Add runtime request protection to your app in three steps. Pick your framework, drop in credentials, protect your first route.

Framework

1. Install Cosantoir

In your project root, run:

$ npm install @cosantoir/next @cosantoir/node

2. Set your credentials

Add these to your .env file. All three values are required.

env

COSANTOIR_GATEWAY_URL=https://api.cosantoir.com
COSANTOIR_API_KEY=dp_live_your_key
COSANTOIR_SITE_ID=site_prod_web

Get your API key and site ID from the Cosantoir dashboard.

3. Protect a route

Wire protection into your Next.js app. WAF evaluation runs on every request — block or allow based on the returned decision.

// middleware.ts
import { createCosantoir } from "@cosantoir/node";
import { createMiddleware, readNextRequestIp } from "@cosantoir/next";

const cs = createCosantoir({
  baseUrl: process.env.COSANTOIR_GATEWAY_URL!,
  apiKey:  process.env.COSANTOIR_API_KEY!,
  siteId:  process.env.COSANTOIR_SITE_ID!,
});

export const middleware = createMiddleware({
  client: cs,
  failOpen: true,
  ip: (req) => readNextRequestIp(req) ?? "127.0.0.1",
});

export const config = {
  matcher: ["/api/:path*"],
};

4. Start your app and test it

Send a test request to verify the shield is active:

$ curl -sS http://localhost:3000/api/hello \
  -H "x-forwarded-for: 192.0.2.1" -i

You should see a 200 OK with a clean IP. Requests that trip the WAF rules return 403 Forbidden.

What next?

Bot protection

›

Block automated traffic and scraper bots.

Rate limiting

›

Cap request budgets per user or IP.

Shield WAF

›

Block SQLi, XSS, and attack pattern traffic.

Email validation

›

Reject disposable and malformed email on signup.

CLI

›

Probe runtime decisions directly from your terminal.

MCP Server

›

Expose evaluator tools natively to AI agents.