Log InContact
Sign Up
Blog

Bot Filter: One-click bot protection now in public beta

3 min read

The Vercel Web Application Firewall (WAF) inspects billions of requests every day to block application-layer threats, such as cross-site scripting, traversal, and application DDoS attacks. While we already inspect and block malicious bot traffic, we wanted to provide better, more precise controls to fine tune your application security.

Today, we're launching the Bot Filter managed ruleset, free for all users on all plans. With a single click, you can protect your application from bot attacks.

Enable Bot Filter Today

Bot Filter protects applications from bot attacks with a single click.

Enable Now

Countering the threat of bad bots

Automation plays a key role in how the internet works. While some bots serve useful functions, like crawling and indexing, it’s estimated that nearly one-third of internet traffic is malicious bot activity. They’ve become some of the biggest security threats facing developers, security teams, and end-users today.

To counter automation at this scale, there’s no one-sized fits all approach. Teams need a variety of tools and mitigation techniques to stop bad bots.

Evolving our bot protections

Vercel provides bot mitigation as part of our secure by default platform.

  • Our platform-wide DDoS mitigations block traffic from botnets behind DDoS traffic, HTTP floods, and malformed requests

  • Firewall templates let users deploy rules targeting known bad actors, from open source blocklists to common AI scrapers

  • Attack Challenge mode can be used to challenge requests during highly-sophisticated or targeted attacks

However, as automated attacks become more advanced, teams require more targeted protections that are always on and always adapting.

Introducing Bot Filter

The Bot Filter managed ruleset gives you the ability to stop unwanted bot traffic, while allowing business-critical bots through. This new security layer goes beyond our platform protections to give you greater control over the type of traffic accessing you applications.

How Bot Filter works

The Bot Filter takes a proactive approach using a heuristics-based detection. It quickly distinguishes between browser-based traffic (human) or non-browser based (likely bot) traffic with zero configuration needed. When enabled:

  • Requests from real browsers and verified bots are allowed through, including internal sources like project cron jobs and API calls from your functions

  • Requests from non-browser clients, like curl or unwanted scrapers, can be issued a challenge

Bot Filter ties directly into the WAF. As a managed ruleset, we maintain the list of verified bots to ensure authenticity and reduce maintenance overhead.

When to use Bot Filter

Use Bot Filter to restrict access to your sites to human users and Vercel-verified bots. It’s ideal for legitimate services like AI and SEO bots, or when you expect mostly human traffic. Bot Filter continuously challenges non-browser traffic, improving app performance and optimizing resource usage for real customers.

We recommend you enable Bot Filter in Log-Only Mode first to gain visibility into your app's traffic and bot sources by showing what requests would be challenged. For legitimate automated traffic not covered by verified bots list, you can use custom WAF rules with the bypass action to ensure that this traffic reaches your app.

Bot Filter is not designed to protect against sophisticated bots that mimic human and browser behavior. Should you want to issue a challenge to all traffic to block automation entirely, use Attack Challenge Mode instead.

What’s next for bot protection

Public Beta Feedback

During this public beta period, we’ve set up a thread on the Vercel Community where you can share your feedback, feature requests, and experiences with Bot Filter.

Looking ahead

Bot protection plays a key role in strengthening our secure by default platform. AI agents and other automated tools are only increasing, and the rising volume of sophisticated bot traffic will change the way developers build, operate, and secure apps.

Our planned bot protection updates for the Vercel Firewall focus on specific attack types and better end-user experiences. Additional features include deeper observability into bot traffic, more granular control over verified and AI bots, Bot Protection SDK, and runtime bot protection capabilities. Enterprise users looking for more granular control will also get access to underlying detection signals as configurable inputs in the Firewall for more advanced control over automated traffic.

Enable Bot Filter today

You can enable the Bot Filter from your Firewall's Configure dashboard.

Learn about security that scales with you

The Vercel Firewall delivers multi-layer protection against application-layer attacks, DDoS threats, and bots. Visit our security page to sign up for a demo or add firewall rules today

Learn more

If you're just getting started with Vercel Firewall, or don't yet have a clear picture of your app's traffic patterns, start in Log-Only Mode so you can refine your allowlist before switching to active enforcement.

Learn more in the changelog or read the documentation.

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Explore Enterprise