How-to
3 min read

Firewall rules

Learn how Enterprise teams can customize their Vercel Firewall rules by restricting access to certain IP addresses.
Table of Contents

Creating custom rules are available on Enterprise plans

Those with the owner and member roles can access this feature

With Vercel Firewall, you can create rules to provide more control over your site, such as blocking IP addresses from accessing your site

You can create custom rules to block a specific IP address or multiple IP addresses by CIDR, effectively preventing unauthorized access or unwanted traffic. This security measure allows you to restrict access to your applications or websites based on the IP addresses of incoming requests.

Common use cases for IP blocking on Vercel include:

  • Blocking known malicious IP addresses
  • Preventing competitors or scrapers from accessing your content

In cases such as blocking based on complying with specific laws and regulations or to restrict access to or from a particular geographic area, we recommend using Middleware.

To block an IP address, you can create a custom rule in your dashboard:

  1. On your Team's dashboard, navigate to Settings and select the Security tab
  2. On the IP Blocking section, click Create New Rule to create a new rule set
  3. Add the IP address you want to block and the host you want to block it from. The host is the domain name of the site you want to block the IP address from accessing
    • You can copy this value from the URL of the site you want to block without the httpsprefix
    • It must match the exact domain you want to block, for example my-site.com, www.my-site.com or docs.my-site.com
    • You should add an entry for all subdomains that you wish block, such as blog.my-site.com and docs.my-site.com
Creating a new IP blocking rule.
Creating a new IP blocking rule.

Custom firewall rules for IP blocking is limited to 1000 rules. CIDR rules are limited to /16 for IPv4 and /48.

Note: If you need Firewall configurations, such as IP blocking, contact us to discuss Enterprise.

Contact Sales

TLS Fingerprints are available on Enterprise plans

The Vercel Firewall provides the capability to work with JA3 and JA4 TLS fingerprints. This advanced feature is for customers who need an extra layer of tracking and identifying potentially malicious traffic. TLS fingerprints allow the unique identification of user sessions inspecting details in the Transport Layer Security (TLS) protocol initiation process.

TLS fingerprinting is a process used to identify and categorize encrypted network traffic.

It creates a unique identifier from the details of a TLS client hello packet, such as the version of TLS, supported cipher suites, and included extensions.

JA3 and JA4 are methods that transform the TLS handshake details into a hash, serving as the fingerprint. We can use that hash to monitor and restrict access.

Controlling access by TLS fingerprint allows us to mitigate malicious actors that use sophisticated methods of attack. For example, a DDoS attack that is spread across multiple user agents, IPs, or geographic locations might share the same TLS fingerprint. With fingerprinting, the Vercel Firewall can block all of the traffic that matches that TLS fingerprint.

JA4 is part of the JA4+ suite. It offers a more granular and flexible approach to network fingerprinting, helping to mitigate malicious traffic and prevent bot traffic.

With JA4, it's possible to identify, track, and categorize server-side encrypted network traffic. This is crucial in detecting and mitigating potential security threats, as it provides a more comprehensive view of the network traffic when used in conjunction with JA3.

JA3 is a tool that uses TLS fingerprinting to track and identify potential security threats. It specifically focuses on the details of the TLS client hello packet, generating a unique hash from it. This client hello packet contains specific information such as the TLS version, supported cipher suites, and any extensions used.

The following headers are sent to each deployment and can be used to process the request before sending back a response. These headers can be read from the Request object in your Function.

Unique client fingerprint hash generated by the JA4 algorithm.

Unique client fingerprint hash generated by the JA3 algorithm.

Last updated on April 13, 2024