chore: Document Shield analysis limitations (#91)

src/content/docs/limitations.mdx

@@ -42,4 +42,15 @@ We believe application context is critical and so this where Arcjet shines.
 However, it also means that your application will receive more traffic than if
 it were simply blocked on the network.
 
+## Shield analysis does not use the request body
+
+[Arcjet Shield](/shield/concepts) analysis is currently based on the request
+headers and query parameters. To minimize false positives and achieve
+low-latency responses, Shield analysis happens in the background on the Arcjet
+platform after a request has been reported to our API. For [privacy](/privacy)
+we do not send the request body to our API, so it cannot be used for analysis.
+
+In the future we intend to support local request body analysis as part of
+Shield.
+
 <Comments />

src/content/docs/shield/concepts.mdx

@@ -80,11 +80,12 @@ developers to build with security in mind without sacrificing usability.
 ## How does Arcjet Shield work?
 
 The Arcjet SDK communicates with the Arcjet API on every request as part of
-applying your configured rules. The request is included as part of this process
-because rules are executed based on the request content. This also allows Arcjet
-Shield to analyze the request. Analysis happens on the Arcjet platform so it
-requires no additional resources from your application and adds no overhead to
-the request processing. See [Architecture](/architecture) for details.
+applying your configured rules. The request ([except the
+body](/limitations#shield-analysis-does-not-use-the-request-body)) is included
+as part of this process and rules are executed based on the request content.
+Analysis happens on the Arcjet platform so it requires no additional resources
+from your application and adds no overhead to the request processing. See
+[Architecture](/architecture) for details.
 
 ## Is Arcjet Shield a Web Application Firewall (WAF)?