How-to

Vercel WAF

Learn how to secure your website with the Vercel Web Application Firewall (WAF)
Table of Contents

Vercel WAF is available on all plans

Those with the member, viewer, developer and administrator roles can access this feature

The Vercel WAF, part of the Firewall, provides security controls to monitor and control the internet traffic to your site through logging, blocking and challenging. When you apply a configuration change to the firewall, it takes effect globally within 300ms and can be instantly rolled back to prior configurations.

In the Firewall tab of your project, you can see a line graph that displays the total incoming web traffic over a specific period of time for your production deployment. The default view shows an Overview of the traffic for a live 10-minute window.

Web traffic monitoring view with default live 10-minute graph
Web traffic monitoring view with default live 10-minute graph

Use the following settings to change the monitoring view:

  • Traffic grouping:
    • Overview: The default option shows the traffic grouped by Category (of traffic control rules) or Action (Allow, challenge, deny, or log) applied to the traffic with the firewall rules
    • The remaining options show the traffic for the selected set by Region, IP Address, User Agent, Request Path, Target Path, JA4 Digest, or Country
      • Default web traffic
      • Custom Rule list: A list of your enabled custom rules
      • Managed Ruleset list (Enterprise plan): A list of your enabled managed rulesets
  • Time period: Select Live (10 minute live window) or Past Day (24 hours)

You can control the internet traffic to your website in the following ways:

The rules obey the following order of execution by default:

  1. DDoS Mitigation rules
  2. IP blocking
  3. Custom Rules
  4. Managed Rulesets

When you have more than one custom rule, you can customize their order in the Firewall tab of the project.

You can quickly revert to a previous version of your firewall configuration. This can be useful in situations that require a quick recovery from unexpected behavior or rule creation.

To restore to a previous version:

  1. From your dashboard, select the project that you'd like to configure a rule for and then select the Firewall tab
  2. Select the View Audit Log option by clicking on the ellipsis menu at the top right
  3. Find the version that you would like to restore to by using the date and time selectors
  4. Select Restore and then Restore Configuration on the confirmation modal

Depending on your plan, there are limits for each Vercel WAF feature.

FeatureHobbyProEnterprise
Project level IP BlockingUp to 10Up to 100Custom
Account-level IP BlockingN/AN/ACustom
Custom RulesUp to 3Up to 40Up to 1000
Custom Rule ParametersAllAllAll
Managed RulesetsN/AN/AContact sales
  • For Account-level IP Blocking, CIDR rules are limited to /16 for IPv4 and /48 for IPv6
  • For Custom Rule Parameters, JA3 (Legacy) is available on Enterprise plans

Note: If your project needs more than these limits or for managed rulesets, contact us to discuss the Enterprise plan.

Contact Sales
Last updated on October 28, 2024