Reference

Rule Configuration Reference

List of configurable options with the Vercel WAF
Table of Contents

For each custom rule that you create, you can configure one or more conditions with parameters from the incoming traffic that you compare with specific values using operators.

You also specify an action executed when all the conditions are met.

Custom Rule Parameters
Parameter
Description
Example
Note

Request Path

The full request path on the incoming request, always starting with a leading /

/api, /signup/new

Target Path

The framework determined x-matched-path

/blog/[slug]

When matching on the target path, the custom rule will run after middleware. If the rule blocks a request, middleware charges could be incurred

Method

The HTTP method used to make the request

GET, POST

User Agent

The HTTP user agent used to make the request

curl

Request Header

The request header on the original request. Define both the header key and value you want to match

You cannot match headers set by middleware, as the rule runs before middleware is invoked

Query

Any incoming query parameter on the original request. Define both the query key and value you want to match

Cookie

Any incoming cookie on the original request. Define both the query key and value you want to match

Hostname

The hostname used for the incoming request

This applies to projects with multiple domains such as platforms that assign a domain to each user of the platform

IP Address

The original or forwarded IP address on the incoming request

10.0.0.1, 10.0.0.1/32

Protocol

The HTTP protocol of the original request

HTTP/1.1, HTTP/2.0

Environment

The Vercel Environment that received this request

Preview or Production

Vercel Region

The Vercel region that received this request

Regions list

Continent

The continent based on the client IP address

A shorthand for the x-vercel-ip-continent header

State

The state (Country Region) based on the client IP address

A shorthand for the x-vercel-ip-country-region header

Country

The country based on the client IP address

A shorthand for the x-vercel-ip-country header

City

The city based on the client IP address

A shorthand for the x-vercel-ip-city header

AS Number

The Autonomous System Number based on the client IP address

Digits only, e.g. 12345

Digits only

JA3 Digest

The calculated TLS digest of the incoming request

JA4 Digest

The calculated TLS digest of the incoming request

@vercel/firewall

ID for a rate limit instrumented in code via the `@vercel/firewall` package

All operators are case insensitive.

Operators Rule Parameters
Parameter
Description

Equals

  • An exact string match

Does not equal

Inverse of Equals

Is any of

  • An exact string match, matching any of the provided values
  • Acts like a SQL IN query

Is not any of

  • Ensures the source is not a match with any of the provided values
  • Acts like a SQL NOT IN query

Contains

  • Includes the provided value

Does not contain

Inverse of Contains

Starts with

  • A string operator matching the start of the string
  • Optimized for performance. It's preferred to use this over a regex prefix expression

Does not start with

Inverse of Starts with

Ends with

  • A string operator matching the end of the string
  • Optimized for performance. It's preferred to use this over a regex suffix expression

Does not end with

Inverse of Ends with

Matches expression

Does not match expression

Inverse of Matches expression

Exists

  • Useful when matching a key value pair like a header, query parameter or cookie
  • Checks that the key exists regardless of value

Does not exist

  • Useful when matching a key value pair like a header, query parameter or cookie
  • Ensures that the key does not exist

NameDescriptionNote
LogTracks the matching of this rule without blocking traffic. Requests matching this rule are visible in the Firewall overview page.
  • If another rule blocks the traffic before a log rule executes, the request is not considered a match for that log rule
  • If another rule blocks the traffic after a log rule executes, the request is tagged to the rule that blocked the traffic and does not appear in the log rule
ChallengeConditionally blocks traffic with browser challenge.
  • If the client fails to solve the challenge, the rule continues to block the traffic
  • Once the client solves the challenge, the rule is bypassed and remaining rules (if any) are evaluated. The request is allowed if none of the remaining rules block
DenyBlocks the request and no further rules are evaluated.
BypassIf matched, it bypasses any remaining custom rulesOnce the client solves the challenge, this rule is bypassed and remaining rules (if any) are evaluated. The request is allowed if none of the remaining rules block
RedirectIf matched, it redirects the client to the target path set in the to field
  • Redirects the request and no further rules are evaluated
  • The target path in the to field can be absolute or relative to the project deployment's root
Last updated on July 26, 2024