--- title: put-firewall-configuration product: vercel url: /docs/rest-api/security/put-firewall-configuration type: reference prerequisites: [] related: - /docs/rest-api summary: Learn about put-firewall-configuration on Vercel. install_vercel_plugin: npx plugins add vercel/vercel-plugin --- # Put Firewall Configuration ```http PUT /v1/security/firewall/config ``` Set the firewall configuration to provided rules and settings. Creates or overwrite the existing firewall configuration. ## Authentication **bearerToken**: HTTP bearer ## Query parameters | Name | Type | Required | Description | |---|---|---|---| | `projectId` | string | Yes | | | `teamId` | string | No | The Team identifier to perform the request on behalf of. | | `slug` | string | No | The Team slug to perform the request on behalf of. | ## Request body Required: Yes Content-Type: `application/json` ```json { "type": "object", "required": [ "firewallEnabled" ], "properties": { "firewallEnabled": { "type": "boolean" }, "managedRules": { "type": "object" }, "crs": { "type": "object", "description": "Custom Ruleset", "properties": { "sd": { "type": "object", "description": "Scanner Detection - Detect and prevent reconnaissance activities from network scanning tools.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "ma": { "type": "object", "description": "Multipart Attack - Block attempts to bypass security controls using multipart/form-data encoding.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "lfi": { "type": "object", "description": "Local File Inclusion Attack - Prevent unauthorized access to local files through web applications.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "rfi": { "type": "object", "description": "Remote File Inclusion Attack - Prohibit unauthorized upload or execution of remote files.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "rce": { "type": "object", "description": "Remote Execution Attack - Prevent unauthorized execution of remote scripts or commands.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "php": { "type": "object", "description": "PHP Attack - Safeguard against vulnerability exploits in PHP-based applications.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "gen": { "type": "object", "description": "Generic Attack - Provide broad protection from various undefined or novel attack vectors.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "xss": { "type": "object", "description": "XSS Attack - Prevent injection of malicious scripts into trusted webpages.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "sqli": { "type": "object", "description": "SQL Injection Attack - Prohibit unauthorized use of SQL commands to manipulate databases.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "sf": { "type": "object", "description": "Session Fixation Attack - Prevent unauthorized takeover of user sessions by enforcing unique session IDs.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "java": { "type": "object", "description": "Java Attack - Mitigate risks of exploitation targeting Java-based applications or components.", "required": [ "active", "action" ], "properties": { "active": { "type": "boolean" }, "action": { "type": "string", "enum": [ "deny", "log" ] } } } } }, "rules": { "type": "array", "items": { "type": "object", "required": [ "name", "active", "conditionGroup", "action" ], "properties": { "id": { "type": "string" }, "name": { "type": "string", "maxLength": 160 }, "description": { "type": "string", "maxLength": 256 }, "active": { "type": "boolean" }, "conditionGroup": { "type": "array", "items": { "type": "object", "required": [ "conditions" ], "properties": { "conditions": { "type": "array", "items": { "type": "object", "required": [ "type", "op" ], "properties": { "type": { "type": "string", "description": "[Parameter](https://vercel.com/docs/security/vercel-waf/rule-configuration#parameters) from the incoming traffic.", "enum": [ "host", "path", "method", "header", "query", "cookie", "target_path", "route", "raw_path", "ip_address", "region", "protocol", "scheme", "environment", "user_agent", "geo_continent", "geo_country", "geo_country_region", "geo_city", "geo_as_number", "ja4_digest", "ja3_digest", "rate_limit_api_id", "server_action", "bot_name", "bot_category" ] }, "op": { "type": "string", "enum": [ "re", "eq", "neq", "ex", "nex", "inc", "ninc", "pre", "suf", "sub", "gt", "gte", "lt", "lte" ] }, "neg": { "type": "boolean" }, "key": { "type": "string" }, "value": { "anyOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } }, { "type": "number" } ] } } } } } } }, "action": { "type": "object", "properties": { "mitigate": { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "log", "challenge", "deny", "bypass", "rate_limit", "redirect" ] }, "rateLimit": { "nullable": true, "anyOf": [ { "type": "object", "required": [ "algo", "window", "limit", "keys" ], "properties": { "algo": { "type": "string", "enum": [ "fixed_window", "token_bucket" ] }, "window": { "type": "number" }, "limit": { "type": "number" }, "keys": { "type": "array", "items": { "type": "string" } }, "action": { "nullable": true, "anyOf": [ { "type": "string", "enum": [ "log", "challenge", "deny", "rate_limit" ] }, {} ] } } }, {} ] }, "redirect": { "nullable": true, "anyOf": [ { "type": "object", "required": [ "location", "permanent" ], "properties": { "location": { "type": "string" }, "permanent": { "type": "boolean" } } }, {} ] }, "actionDuration": { "type": "string", "nullable": true }, "bypassSystem": { "type": "boolean", "nullable": true }, "logHeaders": { "oneOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } } ] } } } } }, "valid": { "type": "boolean" }, "validationErrors": { "anyOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "string" } ] } } } }, "ips": { "type": "array", "items": { "type": "object", "required": [ "hostname", "ip", "action" ], "properties": { "id": { "type": "string" }, "hostname": { "type": "string" }, "ip": { "type": "string" }, "notes": { "type": "string" }, "action": { "type": "string", "enum": [ "deny", "challenge", "log", "bypass" ] } } } }, "botIdEnabled": { "type": "boolean" }, "logHeaders": { "oneOf": [ { "type": "string" }, { "type": "array", "items": { "type": "string" } } ] } } } ``` ## Responses ### 200: No description Content-Type: `application/json` ```json { "type": "object", "required": [ "active" ], "properties": { "active": { "type": "object", "required": [ "changes", "crs", "firewallEnabled", "id", "ips", "ownerId", "projectKey", "rules", "updatedAt", "version" ], "properties": { "ownerId": { "type": "string" }, "projectKey": { "type": "string" }, "id": { "type": "string" }, "version": { "type": "number" }, "updatedAt": { "type": "string" }, "firewallEnabled": { "type": "boolean", "enum": [ false, true ] }, "crs": { "type": "object", "description": "Custom Ruleset", "required": [ "gen", "java", "lfi", "ma", "php", "rce", "rfi", "sd", "sf", "sqli", "xss" ], "properties": { "sd": { "type": "object", "description": "Scanner Detection - Detect and prevent reconnaissance activities from network scanning tools.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "ma": { "type": "object", "description": "Multipart Attack - Block attempts to bypass security controls using multipart/form-data encoding.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "lfi": { "type": "object", "description": "Local File Inclusion Attack - Prevent unauthorized access to local files through web applications.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "rfi": { "type": "object", "description": "Remote File Inclusion Attack - Prohibit unauthorized upload or execution of remote files.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "rce": { "type": "object", "description": "Remote Execution Attack - Prevent unauthorized execution of remote scripts or commands.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "php": { "type": "object", "description": "PHP Attack - Safeguard against vulnerability exploits in PHP-based applications.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "gen": { "type": "object", "description": "Generic Attack - Provide broad protection from various undefined or novel attack vectors.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "xss": { "type": "object", "description": "XSS Attack - Prevent injection of malicious scripts into trusted webpages.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "sqli": { "type": "object", "description": "SQL Injection Attack - Prohibit unauthorized use of SQL commands to manipulate databases.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "sf": { "type": "object", "description": "Session Fixation Attack - Prevent unauthorized takeover of user sessions by enforcing unique session IDs.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } }, "java": { "type": "object", "description": "Java Attack - Mitigate risks of exploitation targeting Java-based applications or components.", "required": [ "action", "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log" ] } } } } }, "rules": { "type": "array", "items": { "oneOf": [ { "type": "object", "required": [ "action", "active", "conditionGroup", "id", "name", "valid", "validationErrors" ], "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "description": { "type": "string" }, "active": { "type": "boolean", "enum": [ false, true ] }, "conditionGroup": { "type": "array", "items": { "type": "object", "required": [ "conditions" ], "properties": { "conditions": { "type": "array", "items": { "type": "object", "required": [ "op", "type" ], "properties": { "type": { "type": "string", "enum": [ "host", "path", "method", "header", "query", "cookie", "target_path", "route", "raw_path", "ip_address", "protocol", "region", "scheme", "environment", "user_agent", "geo_continent", "geo_country", "geo_country_region", "geo_city", "geo_as_number", "ja4_digest", "ja3_digest", "rate_limit_api_id", "server_action", "bot_name", "bot_category" ] }, "op": { "type": "string", "enum": [ "sub", "re", "eq", "ex", "inc", "pre", "suf", "gt", "gte", "lt", "lte", "nex", "ninc", "neq" ] }, "neg": { "type": "boolean", "enum": [ false, true ] }, "key": { "type": "string" }, "value": { "oneOf": [ { "type": "string" }, { "type": "number" }, { "type": "array", "items": { "type": "string" } } ] } } } } } } }, "action": { "type": "object", "properties": { "mitigate": { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "deny", "log", "challenge", "bypass", "rate_limit", "redirect" ] }, "rateLimit": { "type": "object", "nullable": true, "required": [ "algo", "keys", "limit", "window" ], "properties": { "algo": { "type": "string", "enum": [ "fixed_window", "token_bucket" ] }, "window": { "type": "number" }, "limit": { "type": "number" }, "keys": { "type": "array", "items": { "type": "string" } }, "action": { "type": "string", "enum": [ "deny", "log", "challenge", "rate_limit" ], "nullable": true } } }, "redirect": { "type": "object", "nullable": true, "required": [ "location", "permanent" ], "properties": { "location": { "type": "string" }, "permanent": { "type": "boolean", "enum": [ false, true ] } } }, "actionDuration": { "type": "string", "nullable": true }, "bypassSystem": { "type": "boolean", "enum": [ false, true ], "nullable": true }, "logHeaders": { "oneOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "string", "enum": [ "*" ] } ] } } } } }, "valid": { "type": "boolean", "enum": [ true ] }, "validationErrors": { "nullable": true } } }, { "type": "object", "required": [ "action", "active", "conditionGroup", "id", "name", "valid", "validationErrors" ], "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "description": { "type": "string" }, "active": { "type": "boolean", "enum": [ false, true ] }, "conditionGroup": { "type": "array", "items": { "type": "object", "required": [ "conditions" ], "properties": { "conditions": { "type": "array", "items": { "type": "object", "required": [ "op", "type" ], "properties": { "type": { "type": "string", "enum": [ "host", "path", "method", "header", "query", "cookie", "target_path", "route", "raw_path", "ip_address", "protocol", "region", "scheme", "environment", "user_agent", "geo_continent", "geo_country", "geo_country_region", "geo_city", "geo_as_number", "ja4_digest", "ja3_digest", "rate_limit_api_id", "server_action", "bot_name", "bot_category" ] }, "op": { "type": "string", "enum": [ "sub", "re", "eq", "ex", "inc", "pre", "suf", "gt", "gte", "lt", "lte", "nex", "ninc", "neq" ] }, "neg": { "type": "boolean", "enum": [ false, true ] }, "key": { "type": "string" }, "value": { "oneOf": [ { "type": "string" }, { "type": "number" }, { "type": "array", "items": { "type": "string" } } ] } } } } } } }, "action": { "type": "object", "properties": { "mitigate": { "type": "object", "required": [ "action" ], "properties": { "action": { "type": "string", "enum": [ "deny", "log", "challenge", "bypass", "rate_limit", "redirect" ] }, "rateLimit": { "type": "object", "nullable": true, "required": [ "algo", "keys", "limit", "window" ], "properties": { "algo": { "type": "string", "enum": [ "fixed_window", "token_bucket" ] }, "window": { "type": "number" }, "limit": { "type": "number" }, "keys": { "type": "array", "items": { "type": "string" } }, "action": { "type": "string", "enum": [ "deny", "log", "challenge", "rate_limit" ], "nullable": true } } }, "redirect": { "type": "object", "nullable": true, "required": [ "location", "permanent" ], "properties": { "location": { "type": "string" }, "permanent": { "type": "boolean", "enum": [ false, true ] } } }, "actionDuration": { "type": "string", "nullable": true }, "bypassSystem": { "type": "boolean", "enum": [ false, true ], "nullable": true }, "logHeaders": { "oneOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "string", "enum": [ "*" ] } ] } } } } }, "valid": { "type": "boolean", "enum": [ false ] }, "validationErrors": { "type": "array", "items": { "type": "string" } } } } ] } }, "ips": { "type": "array", "items": { "type": "object", "required": [ "action", "hostname", "id", "ip" ], "properties": { "id": { "type": "string" }, "hostname": { "type": "string" }, "ip": { "type": "string" }, "notes": { "type": "string" }, "action": { "type": "string", "enum": [ "deny", "log", "challenge", "bypass" ] } } } }, "changes": { "type": "array", "items": { "type": "object" } }, "managedRules": { "type": "object", "properties": { "bot_protection": { "type": "object", "required": [ "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log", "challenge" ] }, "updatedAt": { "type": "string" }, "userId": { "type": "string" }, "username": { "type": "string" } } }, "ai_bots": { "type": "object", "required": [ "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log", "challenge" ] }, "updatedAt": { "type": "string" }, "userId": { "type": "string" }, "username": { "type": "string" } } }, "owasp": { "type": "object", "required": [ "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log", "challenge" ] }, "updatedAt": { "type": "string" }, "userId": { "type": "string" }, "username": { "type": "string" } } }, "vercel_ruleset": { "type": "object", "required": [ "active" ], "properties": { "active": { "type": "boolean", "enum": [ false, true ] }, "action": { "type": "string", "enum": [ "deny", "log", "challenge" ] }, "updatedAt": { "type": "string" }, "userId": { "type": "string" }, "username": { "type": "string" } } } } }, "botIdEnabled": { "type": "boolean", "enum": [ false, true ] }, "logHeaders": { "oneOf": [ { "type": "array", "items": { "type": "string" } }, { "type": "string", "enum": [ "*" ] } ] } } } } } ``` ### 400: One of the provided values in the request body is invalid. One of the provided values in the request query is invalid. ### 401: The request is not authorized. ### 402: No description ### 403: You do not have permission to access this resource. ### 404: No description ### 500: No description --- ## Related - [security endpoints](/docs/rest-api#security) - [REST API overview](/docs/rest-api) - [OpenAPI spec](https://openapi.vercel.sh/) (machine-readable, all endpoints) --- [View full sitemap](/docs/sitemap)