WAF Rate Limiting
Learn how to configure custom rate limiting rules with the Vercel Web Application Firewall (WAF).WAF Rate Limiting is available on Pro and Enterprise plans
Rate limiting allows you to control the number of times that a request from the same source can hit your application within a specific timeframe. This could happen due to multiple reasons, such as malicious activity or a software bug.
The use of rate limiting rules helps ensure that only intended traffic reaches your resources such as API endpoints or external services, giving you better control over usage costs.
- From your dashboard, select the project that you'd like to configure rate limiting for. Then select the Firewall tab
- Select Configure on the top right of the Firewall overview page. Then, select + New Rule
- Complete the fields for the rule as follows
- Type a name to help you identify the purpose of this rule for future reference
- In the Configure section, add as many If conditions as needed:
All conditions must be true for the action to happen.
- For the Then action, select Rate Limit
- If this is the first time you are creating a rate limit rule, you will need to review the Rate Limiting Pricing dialog and select Continue
- Select Fixed Window (Pro and Enterprise) or Token Bucket (Enterprise) for the limiting strategy
- Update the Time Window field as needed (defaults to 60s) and the Request Limit field as needed (defaults to 100 requests)
- The Request Limit defines the maximum number of requests allowed in the selected time window from a common source
- Select the key(s) from the request's source that you want to match against
- For the Then action, you can leave the Default (429) action or choose between Log, Deny and Challenge
The Log action will not perform any blocks. You can use it to first monitor the effect before applying a rate limit or block action.
- Select Save Rule
- Apply the changes:
- When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
- Select Review Changes and review the changes to be applied
- Select Publish to apply the changes to your production deployment
- Go to the Firewall overview page, select your Custom Rule from the traffic grouping drop-down and select the paramater(s) related to the condition(s) of your Custom Rule to observe the traffic and check whether it's working as expected:
| Resource | Hobby | Pro | Enterprise |
|---|---|---|---|
| Included counting keys | N/A | IP, JA4 Digest | IP, JA4 Digest, User Agent and arbitrary Header keys |
| Counting algorithm | N/A | Fixed window | Fixed window, Token bucket |
| Counting window | N/A | Minimum: 10s, Maximum: 10mins | Minimum: 10s, Maximum: 1hr |
| Number of rules | N/A | 40 | 1000 |
The pricing is based on the region(s) from which the requests come from.
Was this helpful?