Scenario: After setting up authentication in your application, you would like to protect it against brute force attacks and other forms of abuse. To do so, you add a rate limiting rule for preventing abuse on the registration and login endpoints.
-
Select your project from the Vercel dashboard and select the Firewall tab
-
From the top right corner of the Firewall page, click the Configure button and then + New Rule
-
For the Name, enter "Auth Abuse Prevention"
-
For the Description, enter "Limits requests to registration and login endpoints to prevent abuse and brute force attacks"
-
In the Configure section, set up the following If condition:
The Perl Compatible Regular Expression (PCRE) used is:
^/api/auth/(?:register|signup|login|signin)$
It can be broken down as follows:
^/api/auth/
: Matches the beginning of the request path, ensuring it starts with/api/auth/
(?:register|signup|login|signin)
: Matches eitherregister
,signup
,login
, orsignin
$
: Ensures the pattern matches to the end of the request path
-
For the Then action, select Rate Limit
-
Select Fixed Window for the limiting strategy with the following values:
- 60s for the Time Window
- 10 for the Request Limit
- IP Address as the key for the request source match
-
For the rate limiting Then action, choose Deny
-
Select Save Rule
-
Apply the changes:
- When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
- Select Review Changes and review the changes to be applied
- Select Publish to apply the changes to your production deployment
This rule will apply to endpoints like /api/auth/register
, /api/auth/signup
and /api/auth/login
, and will block any specific IP that tries to perform more than 10 requests in 60 seconds. This will prevent individual attackers from abusing these endpoints.
For distributed attacks, you can create a second rule with a similar configuration except for the following values:
- 100 for the Request Limit
- User agent as the key for the request source match
This will limit requests from specific types of clients.
Emergency redirect
Learn how to implement an emergency redirect without re-deploying your site.
Suspicious Traffic in Specific Countries
Learn how to block traffic in specific geographical regions.
WAF Examples
Learn how to use Vercel WAF to protect your site in specific situations.
WAF Custom Rules
Learn how to add and manage custom rules to configure the Vercel Web Application Firewall (WAF).