5 min read
Let's explore how to block traffic with the Firewall, set up soft and hard spend limits, apply code-level optimizations, and more to protect your app against bad actors.
If you’re on our free tier, you don’t need to worry. When your app passes the included free usage, it is automatically paused and never charged.
Configurable Firewall rules
You can create custom Firewall rules to log, block, or challenge traffic to your app. Custom rules are available on all plans for no additional charge.
Rules can be based on 15+ fields including request path, user agent, IP address, JA4 fingerprint, geolocation, HTTP headers, and even target path.
Blocking traffic based on IP address
For example, let’s say you notice some strange traffic from a single IP:
You can create a custom rule to deny traffic from this IP address:
Blocking traffic based on JA4 fingerprints
What if you notice an unfamiliar traffic pattern from multiple IP addresses?
Filtering the Firewall data by JA4 allows you to see fingerprints of traffic data. This is more advanced than looking at just the IP address, user agent, or geolocation. Instead, we can compute a unique fingerprint for traffic that is difficult to circumvent.
Using JA4 fingerprints means a higher probability of detecting (and blocking) bad actors. This advanced fingerprinting is available on all Vercel plans for free.
Challenging suspicious traffic with Attack Challenge Mode
Let’s say you get a usage notification from Vercel that your application is seeing more traffic than normal. It might not be obvious at first what the issue is, and you want to ensure only real customers are allowed into your app.
With the Firewall, you can turn on Attack Challenge Mode.
This serves up a “challenge” screen to all visitors temporarily while you investigate the rise in usage. Real visitors will automatically complete a browser challenge in the background before proceeding to the app. Malicious traffic likely will not pass the challenge.
You can also define custom rules to challenge traffic at a more granular level.
Real-time usage and spend controls
Serverless shouldn’t mean unlimited usage. Only you know what’s right for your application and your business. To help avoid unexpected bills, you can define a spend limit to get alerted, or automatically pause your app when that amount is reached.
To quickly take action on traffic patterns, you need to understand your usage in real-time. That’s why we provide a powerful usage page to help you understand your traffic at a glance, as well as a more powerful query engine for advanced usage investigation with Monitoring.
Code optimizations
You can also proactively configure your application to optimize usage. For example, the following areas for optimization are places we commonly see customers reference.
Lowering the maximum duration of your functions
Vercel Functions have a default maximum duration of 15 seconds on paid plans. They can be configured to increase the maximum duration, or start streaming a response to run longer.
The longer your function runs, the more usage is incurred. If you expect that your function should never take longer than 5 seconds to run, for example, you can lower the maximum duration to automatically error if that duration is exceeded.
Vercel Functions are automatically created (through framework-defined infrastructure) when you server-side render a page, revalidate a page’s contents, or create an API endpoint. For example with Next.js:
export const maxDuration = 5;
export default async function Page() { const data = await getData() return '...'}
This index route (/
) is server-side rendered and will only execute for a maximum of 5 seconds. To further limit Function usage, you can explore Incremental Static Regeneration, depending on your application requirements.
Learn more about configuring the max duration of functions.
Ensure optimized images are using a consistent source image value
Vercel’s infrastructure has the ability to optimized images on-demand. This works with frameworks like Next.js, SvelteKit, Nuxt, Astro, and Gatsby.
The value you pass to the src
of your image will produce multiple optimized images based on the viewport and device of the visitor. You’ll want to ensure you’re not passing dynamic source values which could change based on query parameters or other variables.
Learn more about managing Image Optimization usage and costs. This service is optional — you can also optimize your images before uploading them to your CMS or database, and then use the unoptimized
prop when using frameworks like Next.js (as the source is already compressed).
Move large media files (like images or videos) to Blob storage
When investigating your usage, if you see that your top sources of Fast Data Transfer are large image or video files, you might consider moving these assets to blob storage. Vercel Blob is a cost-effective object storage service for these static assets.
Protecting your deployments from unauthorized traffic
Vercel creates a unique deployment for every commit you push to your repository.
This makes it easy to preview and test changes, as well as instantly rollback to older versions if something goes wrong.
For most of your applications, you likely only want your current production deployment to be publicly accessible. In November 2023, we updated the defaults for deployment protection to be turned on by default. If you joined Vercel after this time, congratulations, your work here is done.
For those of you who have been on Vercel for longer, it might be worth revisiting your deployment protection settings to ensure access to your deployments are locked down to those on your Vercel team. We’re soon shipping an improvement to highlight this in the Vercel dashboard.
Secure by default
Our goal is to make applications on Vercel secure by default. The only traffic that makes it to your app (and to your bill) is traffic you’re excited to welcome.
Vercel keeps you protected from large attacks on your apps automatically. We block an average of 1 billion suspicious connections per week. This malicious traffic never makes it past our Firewall to your wallet.
While we continuously strengthen our defense against bad actors, your applications have different levels of tolerance for traffic patterns. A spike of ten thousand new requests might be a normal day for you, or it might be something wrong.
That’s why we also provide configurable Firewall rules, usage notifications, SMS notifications, spend limits, and more. Hopefully you now have a better understanding of how to keep your application protected on Vercel and prevent unwanted usage.