Reference
1 min read

Rule Configuration Reference

List of configurable options with the Vercel WAF
Table of Contents

For each custom rule that you create, you can configure one or more conditions with parameters from the incoming traffic that you compare with specific values using operators.

You also specify an action executed when all the conditions are met.

ParameterDescriptionExampleNote
Request PathThe full request path on the incoming request, always starting with a leading //api,/signup/new,
Target PathThe framework determined x-matched-path/blog/[slug],When matching on the target path, the custom rule will run after middleware. If the rule blocks a request, middleware charges could be incurred
MethodThe HTTP method used to make the requestGET, POST
User AgentThe HTTP user agent used to make the requestcurl,
Request HeaderThe request header on the original request. Define both the header key and value you want to matchYou cannot match headers set by middleware, as the rule runs before middleware is invoked
QueryAny incoming query parameter on the original request. Define both the query key and value you want to match
CookieAny incoming cookie on the original request. Define both the query key and value you want to match
HostnameThe hostname used for the incoming requestThis applies to projects with multiple domains such as platforms that assign a domain to each user of the platform
IP AddressThe original or forwarded IP address on the incoming request10.0.0.1,10.0.0.1/32,
ProtocolThe HTTP protocol of the original requestHTTP/1.1, HTTP/2.0
EnvironmentThe Vercel Environment that received this requestPreview or Production
Vercel RegionThe Vercel region that received this requestRegions list
ContinentThe continent based on the client IP addressA shorthand for the x-vercel-ip-continent header
StateThe state (Country Region) based on the client IP addressA shorthand for the x-vercel-ip-country-region header
CountryThe country based on the client IP addressA shorthand for the x-vercel-ip-country header
CityThe city based on the client IP addressA shorthand for the x-vercel-ip-city header
AS NumberThe Autonomous System Number based on the client IP addressDigits only,ex. 12345,Digits only
JA3 DigestThe calculated TLS digest of the incoming request
JA4 DigestThe calculated TLS digest of the incoming request

All operators are case insensitive.

NameDescription
Equals
  • An exact string match
Does not equalInverse of Equals
Is any of
  • An exact string match, matching any of the provided values
  • Acts like a SQL IN query
Is not any of
  • Ensures the source is not a match with any of the provided values
  • Acts like a SQL NOT IN query
Contains
  • Includes the provided value
Does not containInverse of Contains
Starts with
  • A string operator matching the start of the string
  • Optimized for performance. It's preferred to use this over a regex prefix expression
Does not start withInverse of Starts with
Ends with
  • A string operator matching the end of the string
  • Optimized for performance. It's preferred to use this over a regex suffix expression
Does not end withInverse of Ends with
Matches expression
Does not match expressionInverse of Matches expression
Exists
  • Useful when matching a key value pair like a header, query parameter or cookie
  • Checks that the key exists regardless of value
Does not exist
  • Useful when matching a key value pair like a header, query parameter or cookie
  • Ensures that the key does not exist
NameDescriptionNote
LogTracks the matching of this rule without blocking traffic. Requests matching this rule are visible in the Firewall overview page.
  • If another rule blocks the traffic before a log rule executes, the request is not considered a match for that log rule
  • If another rule blocks the traffic after a log rule executes, the request is tagged to the rule that blocked the traffic and does not appear in the log rule
ChallengeConditionally blocks traffic with browser challenge.
  • If the client fails to solve the challenge, the rule continues to block the traffic
  • Once the client solves the challenge, the rule is bypassed and remaining rules (if any) are evaluated. The request is allowed if none of the remaining rules block
DenyBlocks the request and no further rules are evaluated.
BypassIf matched, it bypasses any remaining custom rulesOnce the client solves the challenge, this rule is bypassed and remaining rules (if any) are evaluated. The request is allowed if none of the remaining rules block
Last updated on June 21, 2024