Attack Challenge Mode
Learn how to use Attack Challenge Mode to help control who has access to your site when it's under attack.Attack Challenge Mode is a way for Vercel customers to ensure more control when under DDoS attacks. When you enable Attack Challenge Mode, all visitors to your site will see a challenge before they are allowed through.
The Vercel Firewall automatically mitigates against DDoS attacks, but sometimes you may want an extra layer of control to ensure that all traffic to your site is legitimate.
Attack Challenge Mode is available for free on all plans and any requests blocked by challenge mode will not count towards your usage limits.
When you enable Attack Challenge Mode, Vercel will issue every request made to your site with an automatic challenge that's solvable by the end-user's browser. This verifies the visitor is a real person before they can access your site.
To end-users, this will appear as a page showing the Vercel Security Checkpoint that will only appear on their first visit. They will not need to interact with this page, but it will delay their experience for a few seconds:
While Vercel's Firewall will always monitor for and mitigate attacks, you can temporarily enable Attack Challenge Mode when you are under attack and want to provide another layer of security.
To enable:
- Select your project from the Dashboard
- Navigate to the Settings tab and then the Security section
- Toggle the Attack Challenge Mode switch to Enabled
All traffic initiated by a web browser, including API traffic, is supported. For example, a Next.js frontend calling a Next.js API in the same project.
Standalone APIs, other backend frameworks, and web crawlers may not be able to pass challenges and therefore may be blocked. For this reason you should only enable it temporarily, as needed.
Attack Challenge Mode is designed to be an extra layer of control for your site, in addition to Vercel's Firewall. It is meant to be configured temporarily in order to help control access to your site when under attack. Once the attack has subsided, you can disable Attack Challenge Mode.
To disable:
- Select your project from the Dashboard
- Navigate to the Settings tab and then the Security section
- Toggle the Attack Challenge Mode switch to Disabled
Attack Challenge Mode is available for free on all plans.
All mitigations by Attack Challenge Mode are free and unlimited, and there are zero costs associated with traffic blocked by Attack Challenge Mode.
Was this helpful?