# Challenge cookie-less requests on a specific path

**Author:** DX Team

---

In the following example, we send a `PATCH` request to the [Update Firewall Configuration](/docs/rest-api/reference/endpoints/security/update-firewall-configuration) endpoint of the [Vercel REST API security group](/docs/rest-api/reference/endpoints/security). This request creates a new rule in your project's WAF configuration.

> Both the `conditionGroup` and `action` body parameters are **required** fields

This strategy helps you prevent unauthorized access to sensitive information on specific paths of your web application, and protect against [Cross-Site Request Forgery (CSRF) attacks](https://vercel.com/blog/understanding-csrf-attacks).

To enable this on your Vercel project, create a [custom rule](/docs/security/vercel-waf/custom-rules) using the following code:

``export async function PATCH() { let baseUrl = 'https://api.vercel.com/v1/security/firewall/config'; let teamId = 'team_a5j...'; let projectId = 'QmTrK...'; const body = JSON.stringify({ action: 'rules.insert', id: null, value: { active: true /** Whether this rule is enabled or not in your Vercel WAF configuration */, name: 'Challenge Cookieless requests', description: 'Challenge all traffic without session cookies on a specific path', conditionGroup: [{ conditions: [ /** Both conditions need to be true */ { op: 'pre' /** Operator used to compare - pre equivalent to "Starts with" */, type: 'path' /** Parameter from incoming traffic */, value: '/api', }, { neg: true, /** Perform negative match */ op: "ex", /** Operator used to compare - ex equivalent to "Does not contain" */, type: 'cookie' /** Parameter from incoming traffic */, value: '_session', }, ], }, ], action: { mitigate: { action: 'challenge', rateLimit: null, redirect: null, actionDuration: null, }, }, }, }); let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, { method: 'PATCH', headers: { Authorization: `Bearer ${process.env.VERCEL_TOKEN}`, 'Content-Type': 'application/json', }, body, }); if (!res.ok) { return Response.json( { status: 'Failed to update Firewall' }, { status: res.status }, ); } return Response.json({ status: 'New rule added to Firewall' }); }`` ## Related - [WAF Examples](/docs/security/vercel-waf/examples)
  
- [WAF Custom Rules](/docs/security/vercel-waf/custom-rules)

---

[View full KB sitemap](/kb/sitemap.md)
