---
title: Set up App and API Protection for Node.js on Linux
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > App and API Protection > Enabling App and API
  Protection > Enabling App and API Protection for Node.js > Set up App and API
  Protection for Node.js on Linux
---

# Set up App and API Protection for Node.js on Linux

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

{% alert level="info" %}
You can enable App and API Protection for Node.js services with the following setup options:

1. If your Node.js service already has APM tracing set up and running, then skip to service configuration
1. If your Node.js service doesn't have APM tracing set up, you can easily enable App and API Protection with Datadog's [Automatic Installation](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/single-step-apm/linux/)
1. Otherwise, keep reading the following manual setup instructions

{% /alert %}

## Overview{% #overview %}

App and API Protection works by leveraging the [Datadog Node.js library](https://github.com/DataDog/dd-trace-js/) to monitor and secure your Node.js service. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Node.js versions, frameworks, and deployment environments, see [Node.js Compatibility Requirements](https://docs.datadoghq.com/security/application_security/setup/nodejs/compatibility).

This guide explains how to set up App and API Protection (AAP) for Node.js applications. The setup involves:

1. Installing the Datadog Agent
1. Enabling App and API Protection monitoring
1. Running your Node.js application with the Datadog Agent
1. Verifying the setup

## Prerequisites{% #prerequisites %}

- Linux operating system
- Node.js application
- Root or sudo privileges
- Systemd (for service management)
- Your Datadog API key
- Datadog Node.js tracing library (see [version requirements](https://docs.datadoghq.com/security/application_security/setup/nodejs/compatibility))

## 1. Installing the Datadog Agent

Install the Datadog Agent by following the [setup instructions for Linux hosts](https://docs.datadoghq.com/agent/?tab=Linux).

## 2. Enabling App and API Protection monitoring
If your Node.js service already has APM tracing set up and running, you can automatically enable App and API Protection through Remote ConfigurationIf not, enable App and API Protection with the manual configuration instructions.navigation-menu{background:#f8f9fa;border:1px solid #e9ecef;border-radius:8px;padding:20px;margin:20px 0}.nav-container h3{margin-top:0;margin-bottom:15px;color:#333;font-size:1.1em}.nav-list{list-style:none;padding:0;margin:0}.nav-list li{margin-bottom:8px}.nav-list a{color:#06c;text-decoration:none;font-weight:500}.nav-list a:hover{text-decoration:underline;color:#049}
### Automatically enabling App and API Protection through Remote Configuration{% #automatically-enabling-app-and-api-protection-through-remote-configuration %}

{% alert level="danger" %}
APM Tracing cannot be disabled for the time being with remote config.
{% /alert %}

You can enable remote configuration on your [services dashboard](https://app.datadoghq.com/security/configuration/asm/setup?services=recommended). Simply check the box for the service you want to enable App and API Protection for under "Activate on your APM services".

### Manually enabling App and API Protection monitoring{% #manually-enabling-app-and-api-protection-monitoring %}

Install the latest version of the Datadog Node.js library:

```bash
npm install dd-trace
```

{% collapsible-section %}
#### APM Tracing Enabled

Start your Node.js application with the Datadog library and App and API Protection enabled:

```bash
DD_APPSEC_ENABLED=true DD_SERVICE=<YOUR_SERVICE_NAME> DD_ENV=<YOUR_ENVIRONMENT> node --require dd-trace/init app.js
```

{% /collapsible-section %}

{% collapsible-section %}
#### APM Tracing Disabled

To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false.

Start your Node.js application with the Datadog library and App and API Protection enabled:

```bash
DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false DD_SERVICE=<YOUR_SERVICE_NAME> DD_ENV=<YOUR_ENVIRONMENT> node --require dd-trace/init app.js
```

{% /collapsible-section %}

## 3. Run your application

Start your Node.js application with the configured settings.

## 4. Verify setup

To verify that App and API Protection is working correctly:

1. Send some traffic to your application
1. Check the [Application Signals Explorer](https://app.datadoghq.com/security/appsec) in Datadog
1. Look for security signals and vulnerabilities

## Troubleshooting{% #troubleshooting %}

If you encounter issues while setting up App and API Protection for your Node.js application, see the [Node.js App and API Protection troubleshooting guide](https://docs.datadoghq.com/security/application_security/setup/nodejs/troubleshooting).

## Further Reading{% #further-reading %}

- [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works/)
- [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules/?category=cat-application-security)
- [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting)