Common Examples

Learn how to use Vercel WAF to protect your site in specific situations.
Table of Contents

Scenario: When reviewing your site's traffic in the live monitor of your project's Firewall tab, you notice a traffic spike coming from Ireland, where you do not have customers and/or do not expect much traffic.

You view the traffic by country by selecting Default Web Traffic from the traffic grouping drop-down and Country for the secondary drop-down

  1. Select your project from the Vercel dashboard and select the Firewall tab.
  2. From the top right corner of the Firewall page, click the Configure button and then + New Rule.
  3. Type "Ireland Traffic" as Name and "Understand Ireland traffic spike" as Description.
  4. In the Configure section, set up the following If configuration:
  • If Country Equals.
  • Select Ireland in the third drop-down.
  1. In the Then section, select Log from the dropdown. Your rule should look like this:
    Rule for measuring traffic from Ireland
    Rule for measuring traffic from Ireland
  2. Select Save Rule.
  3. Apply the changes:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment
  4. Observe the traffic for this rule on the Firewall overview page.
  5. Update the rule's Then action to Deny and select Save Rule and apply the changes.
  6. Review the live monitor. The traffic from that region should now be zero.

Scenario: When reviewing your site's traffic in the live monitor of your project's Firewall tab, you notice a traffic spike coming from the IP address 11.22.33.44.

You view the traffic by IP Address by selecting Default Web Traffic from the traffic grouping drop-down and IP Address for the secondary drop-down

  1. Select your project from the Vercel dashboard and select the Firewall tab.
  2. Scroll down to the IP Blocking section and select the + Add IP button.
  3. In the Configure New Domain Protection modal, type 11.22.33.44 for the IP Address field and match the Host field with the domain of your production deployment.
  4. Select the Create IP Block Rule button.
  5. Apply the changes:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment
  6. Review the live monitor. The traffic from 11.22.33.44 should now be zero.

Scenario: During the release of a new feature to your production website, you identify a bug where users cannot log in. You cannot go back to a previous deployment and need some time to publish a fix. You can create a redirect to another URL where you can support your users in the meantime.

  1. Select your project from the Vercel dashboard and select the Firewall tab.
  2. From the top right corner of the Firewall page, click the Configure button and then + New Rule.
  3. For the Name, enter "Emergency redirect".
  4. In the Configure section, set up the following If configuration:
  • If Request Path Equals
  • Enter the relative path of the page where the problem is happening. For example /conference-login.
  1. In the Then section, select "Redirect" from the dropdown.
  2. In the to field, type the URL of the page you want to redirect to. If the page exists in the same project, you can use a relative URL. Your rule should look like this:
    Rule for redirecting users to a different page
    Rule for redirecting users to a different page
  3. Select Save Rule.
  4. Apply the changes:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment
  5. Test that the redirect is working by navigating to the request path where the problem is happening.

In the following examples, we send a Patch request to the Update Firewall Configuration endpoint of the Vercel REST API security group. This request creates a new rule in your project's WAF configuration.

Both the conditionGroup and action body parameters are required fields

A curl request is often used by attackers to perform automated activities like scraping, brute force attacks, or other malicious activities. To mitigate such risks, create a custom rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';
 
  const body = JSON.stringify({
    action: 'rules.insert',
    id: null,
    value: {
      active:
        true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
      name: 'Challenge Curl',
      description: 'Challenge all traffic from curl requests',
      conditionGroup: [
        {
          conditions: [
            {
              op: 'sub' /** Operator used to compare - sub is equivalent to "Contains" */,
              type: 'user_agent' /** Parameter from incoming traffic */,
              value: 'curl',
            },
          ],
        },
      ],
      action: {
        mitigate: {
          action: 'challenge',
          rateLimit: null,
          redirect: null,
          actionDuration: null,
        },
      },
    },
  });
 
  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });
 
  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }
 
  return Response.json({ status: 'New rule added to Firewall' });
}

This strategy helps you prevent unauthorized access to sensitive information on specific paths of your web application, and protect against Cross-Site Request Forgery (CSRF) attacks.

To enable this on your Vercel project, create a custom rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';
 
  const body = JSON.stringify({
    action: 'rules.insert',
    id: null,
    value: {
      active:
        true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
      name: 'Challenge Cookieless requests',
      description: 'Challenge all traffic without session cookies on a specific path',
      conditionGroup: [
        {
          conditions: [ /** Both conditions need to be true */
            {
              op: 'pre' /** Operator used to compare - pre equivalent to "Starts with" */,
              type: 'path' /** Parameter from incoming traffic */,
              value: '/api',
            },
            {
              neg: true, /** Perform negative match */
              op: "ex", /** Operator used to compare - ex equivalent to "Does not contain" */,
              type: 'cookie' /** Parameter from incoming traffic */,
              value: '_session',
            },
          ],
        },
      ],
      action: {
        mitigate: {
          action: 'challenge',
          rateLimit: null,
          redirect: null,
          actionDuration: null,
        },
      },
    },
  });
 
  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });
 
  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }
 
  return Response.json({ status: 'New rule added to Firewall' });
}

A common strategy to protect your web application from specific known threats, can include the following:

  • Denying non-browser traffic by targeting non "Mozilla" user-agents, which helps with blocking bots and scrapers.
  • Blocking traffic from certain Autonomous System Numbers (ASN) that are known to be associated with malicious activities.

To enable this on your Vercel project, create a custom rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';
 
  const body = JSON.stringify({
    action: 'rules.insert',
    id: null,
    value: {
      active:
        true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
      name: 'Deny non-browser traffic or blacklisted ASN',
      description: 'Deny traffic without Mozilla or from a specific ASN',
      conditionGroup: [ /** Any of the conditions in this array can be true */
        {
          conditions: [
            {
              neg: true, /** Perform negative match */
              op: "re", /** Operator used to compare - re equivalent to "Match regex expression" */,
              type: 'user_agent' /** Parameter from incoming traffic */,
              value: '.*Mozilla.*',
            },
          ],
        },
        {
          conditions: [
            {
              op: 'inc' /** Operator used to compare - inc equivalent to "Includes"*/,
              type: 'geo_as_number' /** Parameter from incoming traffic */,
              value: ["124", "456", "789"], /** includes any of the number combinations in the array */
            },
          ],
        },
      ],
      action: {
        mitigate: {
          action: 'deny',
          rateLimit: null,
          redirect: null,
          actionDuration: null,
        },
      },
    },
  });
 
  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });
 
  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }
 
  return Response.json({ status: 'New rule added to Firewall' });
}

This strategy can help you enhance security and manage traffic across all your project domains at once in the following possible cases:

  • You identified that a specific IP network is associated with DDoS attacks or automated bot traffic.
  • Certain sanctions or data protection laws require that you block traffic from certain IP networks.

To enable this across all your project domains, create an IP Blocking rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';
 
  const body = JSON.stringify({
    action: 'ip.insert',
    id: null,
    value: {
      action: 'deny',
      hostname: '*',
      ip: '12.34.56.0/24',
      notes: 'deny traffic from 12.34.56.0/24',
    },
  });
 
  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });
 
  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }
 
  return Response.json({ status: 'New rule added to Firewall' });
}
Last updated on October 1, 2024