Vercel WAF
Learn how to secure your website with the Vercel Web Application Firewall (WAF)Vercel WAF is available on all plans
Those with the member, viewer, developer and administrator roles can access this feature
The Vercel WAF, part of the Firewall, provides security controls to monitor and control the internet traffic to your site through logging, blocking and challenging. When you apply a configuration change to the firewall, it takes effect globally within 300ms and can be instantly rolled back to prior configurations.
In the Firewall tab of your project, you can see a line graph that displays the total incoming web traffic over a specific period of time for your production deployment. The default view shows an Overview of the traffic for a live 10-minute window.
Use the following settings to change the monitoring view:
- Traffic grouping:
- Overview: The default option shows the traffic grouped by Category (of traffic control rules) or Action (Allow, challenge, deny, or log) applied to the traffic with the firewall rules
- The remaining options show the traffic for the selected set by Region, IP Address, User Agent, Request Path, Target Path, JA4 Digest, or Country
- Default web traffic
- Custom Rule list: A list of your enabled custom rules
- Managed Ruleset list (Enterprise plan): A list of your enabled managed rulesets
- Time period: Select Live (10 minute live window) or Past Day (24 hours)
You can control the internet traffic to your website in the following ways:
- IP blocking: Learn how to configure IP blocking
- Custom rules: Learn how to configure custom rules for your project
- Managed rulesets: Learn how to enable managed rulesets for your project (Enterprise plan)
The rules obey the following order of execution by default:
- DDoS Mitigation rules
- IP blocking
- Custom Rules
- Managed Rulesets
When you have more than one custom rule, you can customize their order in the Firewall tab of the project.
You can quickly revert to a previous version of your firewall configuration. This can be useful in situations that require a quick recovery from unexpected behavior or rule creation.
To restore to a previous version:
- From your dashboard, select the project that you'd like to configure a rule for and then select the Firewall tab
- Select the View Audit Log option by clicking on the ellipsis menu at the top right
- Find the version that you would like to restore to by using the date and time selectors
- Select Restore and then Restore Configuration on the confirmation modal
Depending on your plan, there are limits for each Vercel WAF feature.
Feature | Hobby | Pro | Enterprise |
---|---|---|---|
Project level IP Blocking | Up to 10 | Up to 100 | Custom |
Account-level IP Blocking | N/A | N/A | Custom |
Custom Rules | Up to 3 | Up to 40 | Up to 1000 |
Custom Rule Parameters | All | All | All |
Managed Rulesets | N/A | N/A | Contact sales |
- For Account-level IP Blocking, CIDR rules are limited to
/16
for IPv4 and/48
for IPv6 - For Custom Rule Parameters, JA3 (Legacy) is available on Enterprise plans
Was this helpful?