How-to
3 min read

Attack Challenge Mode

Learn how to use Attack Challenge Mode to help control who has access to your site when it's under attack.
Table of Contents

Attack Challenge Mode is available on all plans

Those with the member role can access this feature

Attack Challenge Mode is a way for Vercel customers to ensure more control when under DDoS attacks. When enabled, all visitors to your site will see a challenge before allowed through.

The Vercel Firewall automatically mitigates against DDoS attacks, but sometimes you may want an extra layer of control to ensure that all traffic to your site is legitimate.

Attack Challenge Mode is available for free on all plans and any requests blocked by challenge mode will not count towards your usage limits.

Enabling Attack Challenge Mode on your Vercel deployment may prevent cron jobs from running for the duration that Attack Challenge Mode is active. Consider this potential impact before enabling Attack Challenge Mode.

When you enable Attack Challenge Mode, Vercel will issue every request made to your site with an automatic challenge that's solvable by the end-user's browser. This verifies the visitor is a real person before they can access your site.

To end-users, this will appear as a page showing the Vercel Security Checkpoint that will only appear on their first visit. They will not need to interact with this page, but it will delay their experience for a few seconds:

Vercel Challenge Page
Vercel Challenge Page

The challenge page text is localized to 22 languages, based on the visitor's browser settings, and will also automatically respect the visitor's preferred color scheme.

While Vercel's Firewall will always monitor for and mitigate attacks, you can temporarily enable Attack Challenge Mode when you are under attack and want to provide another layer of security.

To enable:

  1. Select your project from the Dashboard
  2. Navigate to the Settings tab and then the Security section
  3. Toggle the Attack Challenge Mode switch to Enabled

All traffic initiated by a web browser, including API traffic, is supported. For example, a Next.js frontend calling a Next.js API in the same project.

Standalone APIs, other backend frameworks, and web crawlers may not be able to pass challenges and may be blocked. You should only enable Attack Challenge temporarily, as needed. If you need further control, you can define a Custom Rule with the Vercel WAF.

Attack Challenge Mode is designed to be an extra layer of control for your site, in addition to Vercel's Firewall. It is meant to be configured temporarily in order to help control access to your site when under attack. Once the attack has subsided, you can disable Attack Challenge Mode.

To disable:

  1. Select your project from the Dashboard
  2. Navigate to the Settings tab and then the Security section
  3. Toggle the Attack Challenge Mode switch to Disabled

You can challenge web traffic with more granularity by defining a Custom Rule with the Vercel WAF.

Indexing by web crawlers like the Google crawler can be affected by Attack Challenge Mode if it's kept on for more than 48 hours.

  • English
  • Arabic
  • Bengali
  • Chinese
  • French
  • German
  • Hindi
  • Italian
  • Japanese
  • Javanese
  • Korean
  • Marathi
  • Polish
  • Portuguese
  • Punjabi
  • Russian
  • Spanish
  • Tamil
  • Telugu
  • Turkish
  • Urdu
  • Vietnamese

Attack Challenge Mode is available for free on all plans.

All mitigations by Attack Challenge Mode are free and unlimited, and there are zero costs associated with traffic blocked by Attack Challenge Mode.

Last updated on July 25, 2024