Rule Configuration Reference
For each custom rule that you create, you can configure one or more conditions with parameters from the incoming traffic that you compare with specific values using operators. For each new condition, you can choose how you combine it with the previous condition using the AND (Both conditions need to be met) or the OR operator (One of the conditions need to be met).
You also specify an action executed when all the conditions are met.
Parameter | Description | Example | Note |
|---|---|---|---|
Request Path | The full request path on the incoming request, always starting with a leading | /api, /signup/new | |
Target Path | The framework determined | /blog/[slug] | When matching on the target path, the custom rule will run after middleware. If the rule blocks a request, middleware charges could be incurred |
Raw Path | The raw request path, ignoring any parsing or normalizing that might be done at the framework level | /api/, /signup/new/ | |
Method | The HTTP method used to make the request | GET, POST | |
User Agent | The HTTP user agent used to make the request | curl | |
Request Header | The request header on the original request. Define both the header key and value you want to match | You cannot match headers set by middleware, as the rule runs before middleware is invoked | |
Query | Any incoming query parameter on the original request. Define both the query key and value you want to match | ||
Cookie | Any incoming cookie on the original request. Define both the query key and value you want to match | ||
Hostname | The hostname used for the incoming request | This applies to projects with multiple domains such as platforms that assign a domain to each user of the platform | |
IP Address | The original or forwarded IP address on the incoming request | 10.0.0.1, 10.0.0.1/32 | |
Protocol | The HTTP protocol of the original request | HTTP/1.1, HTTP/2.0 | |
Environment | The Vercel Environment that received this request | Preview or Production | |
Vercel Region | The Vercel region that received this request | Regions list | |
Continent | The continent based on the client IP address | A shorthand for the | |
State | The state (Country Region) based on the client IP address | A shorthand for the | |
Country | The country based on the client IP address | A shorthand for the | |
City | The city based on the client IP address | A shorthand for the | |
AS Number | The Autonomous System Number based on the client IP address | Digits only, e.g. 12345 | Digits only |
JA3 Digest | The calculated TLS digest of the incoming request | ||
JA4 Digest | The calculated TLS digest of the incoming request | ||
@vercel/firewall | ID for a rate limit instrumented in code via the `@vercel/firewall` package |
All operators are case insensitive.
Parameter | Value | Description |
|---|---|---|
Equals |
|
|
Does not equal |
| Inverse of Equals |
Is any of |
|
|
Is not any of |
|
|
Contains |
|
|
Does not contain |
| Inverse of Contains. Set the |
Starts with |
|
|
Ends with |
|
|
Matches expression |
|
|
Does not match expression |
| Inverse of Matches expression. Set the |
| Name | Description | Note |
|---|---|---|
| Log | Tracks the matching of this rule without blocking traffic. Requests matching this rule are visible in the Firewall overview page. |
|
| Challenge | Conditionally blocks traffic with browser challenge. |
|
| Deny | Blocks the request and no further rules are evaluated. | |
| Bypass | If matched, it bypasses any remaining custom rules. | WAF bypass rules do not bypass system-level mitigations such as DDoS Mitigation. To do so, you can use the Bypass System-level Mitigations feature. |
| Redirect | If matched, it redirects the client to the target path set in the to field. |
|
Was this helpful?