Vercel WAF

Learn how to secure your website with the Vercel Web Application Firewall (WAF)

Table of Contents

Vercel WAF is available on all plans

Those with the member, viewer, developer and administrator roles can access this feature

The Vercel WAF, part of the Firewall, provides security controls to monitor and control the internet traffic to your site through logging, blocking and challenging. When you apply a configuration change to the firewall, it takes effect globally within 300ms and can be instantly rolled back to prior configurations.

Traffic monitoring

In the Firewall tab of your project, you can see a line graph that displays the total incoming web traffic over a specific period of time for your production deployment. The default view shows an Overview of the traffic for a live 10-minute window.

Use the following settings to change the monitoring view:

Traffic grouping:
- Overview: The default option shows the traffic grouped by Category (of traffic control rules) or Action (Allow, challenge, deny, or log) applied to the traffic with the firewall rules
- The remaining options show the traffic for the selected set by Region, IP Address, User Agent, Request Path, Target Path, JA4 Digest, or Country
  - Default web traffic
  - Custom Rule list: A list of your enabled custom rules
  - Managed Ruleset list (Enterprise plan): A list of your enabled managed rulesets
Time period: Select Live (10 minute live window) or Past Day (24 hours)

Traffic control

You can control the internet traffic to your website in the following ways:

IP blocking: Learn how to configure IP blocking
Custom rules: Learn how to configure custom rules for your project
Managed rulesets: Learn how to enable managed rulesets for your project (Enterprise plan)

Rule execution order

The rules obey the following order of execution by default:

DDoS Mitigation rules
IP blocking
Custom Rules
Managed Rulesets

When you have more than one custom rule, you can customize their order in the Firewall tab of the project.

Instant rollback

You can quickly revert to a previous version of your firewall configuration. This can be useful in situations that require a quick recovery from unexpected behavior or rule creation.

To restore to a previous version:

From your dashboard, select the project that you'd like to configure a rule for and then select the Firewall tab
Select the View Activity button
Find the version that you would like to restore to by using the date and time selectors
Select Restore and then Restore Configuration on the confirmation modal

Limits

Depending on your plan, there are limits for each Vercel WAF feature.

Feature	Hobby	Pro	Enterprise
Project level IP Blocking	Up to 10	Up to 100	Custom
Account-level IP Blocking	N/A	N/A	Custom
Custom Rules	Up to 3	Up to 40	Up to 1000
Custom Rule Parameters	All	All	All
Managed Rulesets	N/A	N/A	Contact sales

For Account-level IP Blocking, CIDR rules are limited to /16 for IPv4 and /48 for IPv6
For Custom Rule Parameters, JA3 (Legacy) is available on Enterprise plans

Note: If your project needs more than these limits or for managed rulesets, contact us to discuss the Enterprise plan.

Contact Sales

Last updated on October 28, 2024

Attack Challenge Mode

IP Blocking

Was this helpful?