WAF Rate Limiting

Learn how to configure custom rate limiting rules with the Vercel Web Application Firewall (WAF).
Table of Contents

WAF Rate Limiting is available on Pro and Enterprise plans

Rate limiting allows you to control the number of times that a request from the same source can hit your application within a specific timeframe. This could happen due to multiple reasons, such as malicious activity or a software bug.

The use of rate limiting rules helps ensure that only intended traffic reaches your resources such as API endpoints or external services, giving you better control over usage costs.

  1. From your dashboard, select the project that you'd like to configure rate limiting for. Then select the Firewall tab
  2. Select Configure on the top right of the Firewall overview page. Then, select + New Rule
  3. Complete the fields for the rule as follows
    1. Type a name to help you identify the purpose of this rule for future reference
    2. In the Configure section, add as many If conditions as needed:

      All conditions must be true for the action to happen.

    3. For the Then action, select Rate Limit
      • If this is the first time you are creating a rate limit rule, you will need to review the Rate Limiting Pricing dialog and select Continue
    4. Select Fixed Window (Pro and Enterprise) or Token Bucket (Enterprise) for the limiting strategy
    5. Update the Time Window field as needed (defaults to 60s) and the Request Limit field as needed (defaults to 100 requests)
      • The Request Limit defines the maximum number of requests allowed in the selected time window from a common source
    6. Select the key(s) from the request's source that you want to match against
    7. For the Then action, you can leave the Default (429) action or choose between Log, Deny and Challenge

      The Log action will not perform any blocks. You can use it to first monitor the effect before applying a rate limit or block action.

  4. Select Save Rule
  5. Apply the changes:
    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment
  6. Go to the Firewall overview page, select your Custom Rule from the traffic grouping drop-down and select the paramater(s) related to the condition(s) of your Custom Rule to observe the traffic and check whether it's working as expected:
ResourceHobbyProEnterprise
Included counting keysN/AIP, JA4 DigestIP, JA4 Digest, User Agent and arbitrary Header keys
Counting algorithmN/AFixed windowFixed window, Token bucket
Counting windowN/AMinimum: 10s, Maximum: 10minsMinimum: 10s, Maximum: 1hr
Number of rulesN/A401000

The pricing is based on the region(s) from which the requests come from.

Select a Region
Managed Infrastructure pricing
Resource
Measurement Metric
Price

WAF Rate Limiting

1,000,000 Allowed Requests$0.50
Last updated on October 28, 2024