Managing microfrontends security
Understand how and where you manage Deployment Protection and Vercel Firewall for each microfrontend application.
Because each URL is protected by the Deployment Protection settings of the project it belongs to, the deployment protection for the microfrontend experience as a whole is determined by the default application.
For requests to a microfrontend host (a domain belonging to the microfrontend default application):
- Requests are only verified by the Deployment Protection settings for the project of your default application
For requests directly to a child application (a domain belonging to a child microfrontend):
- Requests are only verified by the Deployment Protection settings for the project of the child application
This applies to all protection methods and bypass methods, including:
- Vercel Authentication
- Password Protection
- Trusted IPs
- Shareable Links
- Protection Bypass for Automation
- Deployment Protection Exceptions
- OPTIONS Allowlist.
Use the Deployment Protection settings for the project of the default application to control access to the microfrontend.
We recommend the following configuration:
- Default app: Use Standard Protection so that end users can access the microfrontend through the default app's URL.
- Child apps: Enable protection for all deployments so that child apps are not directly accessible. Since child app content is served through the default app's URL, child apps can only be accessed via the URL of the default project.
This works because Vercel handles routing to child apps within a single request at the network layer — as explained in Path Routing — it is not a rewrite that would result in a separate request to the child app's URL. Deployment protection on the child app therefore applies only when the child app's URL is accessed directly.
- The Platform-wide firewall is applied to all requests.
- The customizable Web Application Firewall (WAF) from the default application and the corresponding child application is applied for a request.
For requests to a microfrontend host (a domain belonging to the microfrontend default application):
- All requests are verified by the Vercel WAF for the project of your default application
- Requests to child applications are additionally verified by the Vercel WAF for their project
For requests directly to a child application (a domain belonging to a child microfrontend):
- Requests are only verified by the Vercel WAF for the project of the child application.
This applies for the entire Vercel WAF, including Custom Rules, IP Blocking, WAF Managed Rulesets, and Attack Challenge Mode.
-
To set a WAF rule that applies to all requests to a microfrontend, use the Vercel WAF for your default application.
-
To set a WAF rule that applies only to requests to paths of a child application, use the Vercel WAF for the child project.
Was this helpful?