WAF Managed Rulesets

Learn how to use managed rulesets with the Vercel Web Application Firewall (WAF)

Managed rulesets are collections of predefined WAF rules based on standards such as Open Worldwide Application Security Project (OWASP) Top Ten that you can enable and configure in your project's Firewall dashboard.

The following ruleset(s) are currently available:

Access roles

Configure OWASP core ruleset

OWASP core ruleset is available on Enterprise plans . Review pricing information here.

To enable and configure OWASP Core Ruleset for your project, follow these steps:

  1. From your project's dashboard, select the Firewall tab
  2. Select the Configure button
  3. From the Managed Rulesets section, enable OWASP Core Ruleset
  4. You can apply the changes with the OWASP rules enabled by default:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment
  5. Or select what OWASP rules to enable first by selecting Configure from the OWASP Core Ruleset list item
  6. For the OWASP Core Ruleset configuration page, enable or disable the rule that you would like to apply
  7. For each enabled rule, select Log Only or Deny from the action drop-down
    • Use Log Only first and monitor the live traffic on the Firewall overview page to check that the rule has the desired effect when applied
  8. Apply the changes
  9. Monitor the live traffic on the Firewall overview page

Want to talk to our team?

This feature is available on the Enterprise plan.

Configure bot filter managed ruleset

Bot filter managed ruleset is available in Beta on all plans

To enable and configure bot protection for your project, follow these steps:

  1. From your project's dashboard, select the Firewall tab
  2. Select the Configure button
  3. From the Bot Protection section, select Log or Challenge on the Bot Filter rule to choose what action should be performed when an unwanted bot is identified.
    • When enabled in challenge mode, the Vercel WAF will serve a JavaScript challenge to traffic that is unlikely to be a browser.
  4. You can then apply as follows:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment

Bypassing rulesets

You can configure specific IP-addresses to bypass the Custom Rules and Managed Rulesets configured with the Vercel WAF by using System Bypass Rules.

Rules execution order

The Vercel WAF executes rules on incoming traffic in the following order:

  1. Custom rules set up in the project
  2. Managed rulesets configured in the project
Last updated on April 26, 2025
Next
Account Management