Reference
1 min read
Rule Configuration Reference
List of configurable options with the Vercel WAFTable of Contents
For each custom rule that you create, you can configure one or more conditions with parameters from the incoming traffic that you compare with specific values using operators.
You also specify an action executed when all the conditions are met.
| Parameter | Description | Example | Note |
|---|---|---|---|
| Request Path | The full request path on the incoming request, always starting with a leading / | /api,/signup/new, | |
| Target Path | The framework determined x-matched-path | /blog/[slug], | When matching on the target path, the custom rule will run after middleware. If the rule blocks a request, middleware charges could be incurred |
| Method | The HTTP method used to make the request | GET, POST | |
| User Agent | The HTTP user agent used to make the request | curl, | |
| Request Header | The request header on the original request. Define both the header key and value you want to match | You cannot match headers set by middleware, as the rule runs before middleware is invoked | |
| Query | Any incoming query parameter on the original request. Define both the query key and value you want to match | ||
| Cookie | Any incoming cookie on the original request. Define both the query key and value you want to match | ||
| Hostname | The hostname used for the incoming request | This applies to projects with multiple domains such as platforms that assign a domain to each user of the platform | |
| IP Address | The original or forwarded IP address on the incoming request | 10.0.0.1,10.0.0.1/32, | |
| Protocol | The HTTP protocol of the original request | HTTP/1.1, HTTP/2.0 | |
| Environment | The Vercel Environment that received this request | Preview or Production | |
| Vercel Region | The Vercel region that received this request | Regions list | |
| Continent | The continent based on the client IP address | A shorthand for the x-vercel-ip-continent header | |
| State | The state (Country Region) based on the client IP address | A shorthand for the x-vercel-ip-country-region header | |
| Country | The country based on the client IP address | A shorthand for the x-vercel-ip-country header | |
| City | The city based on the client IP address | A shorthand for the x-vercel-ip-city header | |
| AS Number | The Autonomous System Number based on the client IP address | Digits only,ex. 12345, | Digits only |
| JA3 Digest | The calculated TLS digest of the incoming request | ||
| JA4 Digest | The calculated TLS digest of the incoming request |
All operators are case insensitive.
| Name | Description |
|---|---|
| Equals |
|
| Does not equal | Inverse of Equals |
| Is any of |
|
| Is not any of |
|
| Contains |
|
| Does not contain | Inverse of Contains |
| Starts with |
|
| Does not start with | Inverse of Starts with |
| Ends with |
|
| Does not end with | Inverse of Ends with |
| Matches expression |
|
| Does not match expression | Inverse of Matches expression |
| Exists |
|
| Does not exist |
|
| Name | Description | Note |
|---|---|---|
| Log | Tracks the matching of this rule without blocking traffic. Requests matching this rule are visible in the Firewall overview page. |
|
| Challenge | Conditionally blocks traffic with browser challenge. |
|
| Deny | Blocks the request and no further rules are evaluated. | |
| Bypass | If matched, it bypasses any remaining custom rules | Once the client solves the challenge, this rule is bypassed and remaining rules (if any) are evaluated. The request is allowed if none of the remaining rules block |
Last updated on June 28, 2024
Was this helpful?