You or your security team noticed irregular traffic on your Vercel-hosted site. High request volumes from regions you don’t serve, users with outdated browsers or OS versions, or sudden spikes in authentication requests might indicate malicious or automated traffic. These patterns can inflate costs, skew analytics, or degrade performance for legitimate users.
Vercel provides built-in bot management features, including Bot Protection Managed Ruleset, AI Bots Managed Ruleset, BotID, and Custom Web Application Firewall (WAF) Rules to help mitigate these issues without blocking valid traffic. However, understanding when and how to use each feature effectively is key to maintaining both security and usability.
This guide walks through how to implement and tune these Vercel features to detect, analyze, and mitigate unwanted automated traffic to your Next.js application.
Before enabling protection, determine whether your site is truly seeing unwanted traffic.
- Sudden request spikes to login or checkout routes.
- Traffic spikes unassociated with expected high-traffic events or marketing campaigns, especially spikes that plateau for a period of time.
- High traffic from unsupported regions or data center networks, as tracked by Autonomous System Numbers (ASNs) like AWS, OVH, or DigitalOcean.
- Requests with outdated or malformed User-Agent headers.
- High 4xx or 5xx error rates from the same IP ranges.
- Suspicious referral patterns (e.g., all requests have Referer: null).
- Vercel Firewall Observability → view IP, User-Agent, and request counts.
- Vercel Observability → identify unusual traffic patterns and request metadata.
- Runtime Logs → filter for repeated hits to /api or /auth routes.
- External telemetry → correlate with Logflare, Datadog, or Sentry for patterns.
Tip: If you’re already using an external observability platform, consider draining Vercel logs to your observability platform before enabling blocking rules to establish a baseline.
| Feature | Purpose | Visibility | Ideal Usage |
|---|---|---|---|
| Bot Protection Managed Ruleset | Detects and mitigates automated non-browser traffic at the edge. | Logs or challenges requests before app logic. | Use when you need edge-level protection from non-browser traffic. |
| AI Bots Managed Ruleset | Detects AI bots and either logs their access or denies them from reaching your site. | Logs or denies requests before app logic. | Use when you want to prevent AI bots from accessing your site. |
| BotID | Provides deep request analysis using AI classification. | Adds headers for advanced filtering. | Use when you want full visibility and control in middleware. |
| Custom WAF Rules | Define custom rate limits, region blocks, or filters. | Managed via Vercel Dashboard or API. | Use when you need tailored policies per endpoint or IP range. |
In this context, “non-browser traffic” refers to requests coming from headless sources, such as cURL commands, which may indicate the requests are automated and or malicious.
| Situation | Recommended Feature | Notes |
|---|---|---|
| You suspect automated abuse but want visibility first. | Bot Protection Managed Ruleset (Log Mode) | Safe starting point—no requests blocked. |
| You’ve confirmed malicious traffic and want to stop it. | Bot Protection Managed Ruleset (Challenge Mode) | Actively blocks or challenges suspicious bots. |
| You suspect AI bots are frequently hitting your site, but want visibility before taking action. | AI Bot Managed Ruleset (Log Mode) | Safe starting point—no requests blocked. |
| You want to prevent AI bots from scraping your site, using your content for training, or otherwise accessing your application. | AI Bot Managed Ruleset (Deny Mode) | Impacts how AI agents, such as ChatGPT-Operator, can access your site. Disabled by default. |
| You want to inspect or log bot scores per request. | BotID | Exposes bot metadata via headers for middleware logic. |
| You need to block specific IPs, regions, or request rates. | Custom WAF Rules | Fully customizable; complements Bot Protection. |
| You’re under active volumetric attack. | WAF + Challenge Mode | Combine protections for layered defense. |
Not all bots are harmful. Some are essential to your business or product visibility.
By default, Vercel allows verified bots to access your site, even when the Bot Protection Managed Ruleset is enabled. This can be changed by using the AI Bots Managed Ruleset in deny mode.
| Good Bot Type | Why You Should Allow It |
|---|---|
| Search engine crawlers (Googlebot, Bingbot) | Required for SEO indexing. |
| Uptime monitoring bots | Validate service health and uptime. |
| AI crawlers with transparent identification | Can drive discoverability and data partnerships. |
| AI agents | Provide potential users and customers with agentic access to your site content and or product information. |
- Review Vercel’s default allowed bot list before tightening access controls.
- If your business relies on a bot that is listed as “unverifiable”, consider adding custom WAF rules to allow it to bypass any protections in place.
- Keep in mind that malicious users may spoof the metadata used to identify these bots, so a rate limit or other means of access control may still be necessary to ensure you do not overexpose your application to undue risk.
Are the bots you expect to be verified listed as “unverifiable” and getting blocked by Vercel? Vercel uses specific bot verification methods to ensure bots are who they claim to be.
For some bots, it is not possible to verify them via the above mentioned methods. As a result, Vercel does not allow them to bypass system and application level protection.
- Navigate to Firewall → Rules → Bot Management in your Vercel Dashboard.
- Toggle Bot Protection to one of the following modes
- Log Mode (default for detection and visibility)
- Challenge Mode (active blocking or Javascript browser challengeCAPTCHA)
- Publish your changes to have Bot Protection take effect
Review: Vercel Bot Management Documentation
- Navigate to Firewall → Rules → Managed Rulesets in your Vercel Dashboard.
- Toggle AI Bots to one of the following options:
- Log - Logs AI bot traffic without challenging or blocking it
- On - Blocks AI Bot traffic from accessing your site
- Publish your changes to have your AI Bot management ruleset change take effect
Review: AI Bot Managed Ruleset Documentation
Enabling BotID requires installing the BotID package, initializing the configuration, and deploying your project so BotID can begin inspecting requests. Once enabled, BotID automatically annotates incoming requests with bot classification data that you can read from request headers or view in the Vercel Dashboard.
For full installation, configuration, and deployment steps, see the official guides:
After BotID is enabled, you may integrate its request metadata into Next.js Middleware or your logging pipeline to support rate limiting, anomaly detection, fraud reduction, or traffic quality analysis.
BotID Deep Analysis is not a free feature. Work with your Vercel account team to align on cost impact. See pricing info here.
Review: Vercel BotID Documentation
- Navigate to Firewall → Overview, Firewall → Rules → IP Blocking, or System Bypass Rules in your Vercel Dashboard.
- Create a new rule using one or more conditions (e.g., path, region, IP range, or request volume).
- Save and publish.
- Alternatively, you can also configure custom WAF rules directly in vercel.json
{ "$schema": "<https://openapi.vercel.sh/vercel.json>", "routes": [ { "src": "/(.*)", "has": [ { "type": "header", "key": "x-react-router-prerender-data" } ], "mitigate": { "action": "deny" } } ]}For a more detailed walkthrough, see our guide on getting started with custom WAF rules.
Vercel provides multiple observability layers to monitor and tune protection behavior.
- Go to Firewall → Overview or Firewall → Traffic to find your project’s Firewall analytics dashboards.
- Review:
- Overview
- Firewall status - Displays the current status of the Firewall, Bot Protection, and total number of rules.
- Firewall Alerts - Shows recent Firewall Alerts, their current status, and total number of involved requests.
- Firewall events - Shows recent Firewall events, the associated rule type, action taken, and more.
- Traffic breakdown by action - Filter the entire Firewall dashboard by all traffic, allowed, logged, challenged, denied, or rate-limited.
- Rules - Shows configured rules sorted by total amount of relevant traffic.
- Denied IPs - Shows the country of origin, IP address, and total number of requests in the current evaluation period.
- Traffic
- Traffic breakdown by action - Filter the entire Firewall dashboard by all traffic, allowed, logged, challenged, denied, or rate-limited.
- Rules - Shows configured rules sorted by total amount of relevant traffic.
- Other key traffic information, such as top IPs, top user agents, top request paths, and more.
- Overview
- For Alerts and events, you can click on each entry to expand into a full view with additional details and a link to explore further in Query.
- If you’re using Bot Protection in Log Mode, track when and if to enable Challenge Mode based on logged traffic.
- A request being logged doesn’t always mean it is illegitimate or malicious. Utilize Challenge Mode to enhance protection or consider gradually tightening security with targeted custom WAF rules, like rate limits and geography-based blacklists.
If your project uses a reverse proxy, you may see the firewall status as “Limited”. This is because some reverse proxy configurations limit what request data is passed to Vercel, ultimately preventing or hindering Vercel’s firewall or your WAF from fully analyzing your application’s traffic.
To avoid this limitation, either remove the reverse proxy or configure Verified Proxy.
Review: Firewall Observability
If you have Observability Plus enabled, you can create custom queries to further evaluate Firewall data:
- Search for data by metrics like WAF Actions, Rule IDs, or BotID Deep Analysis checks.
- Open events or Alerts directly in Query to evaluate further.
- Utilize insights from Observability to determine when and how to tighten restrictions on your site.
- Establish base lines for rate limits, regions with legitimate users, and metadata trends for friendly bot traffic.
- When traffic or usage patterns deviate from these baselines, consider adding a new custom WAF rule to limit unwanted or malicious traffic or toggle Bot Protection into Challenge Mode.
- Review and publish any changes to rulesets or features.
- For BotID, make necessary updates to your code base and deploy your updated project.
- Validate:
- Bot Protection and BotID logs appear in Firewall Observability.
- Legitimate user traffic remains unaffected.
- Suspicious test requests are blocked or challenged.
- Use tools like curl or k6 to simulate controlled traffic.
- Verify that rate limits, geographic-based blocks, and whitelists all function as expected.
Once completed:
- Bot Protection Managed Ruleset logs and optionally challenges automated traffic.
- AI Bot Managed Ruleset logs or blocks unwanted AI Bots.
- If enabled, BotID provides visibility into threat sources and patterns.
- Custom WAF Rules enforce region, IP, and rate-based filtering.
- Your application remains performant and secure for real users while mitigating automated abuse.
- Vercel Security and Protection Overview
- Vercel Bot Protection Documentation
- Vercel BotID Documentation
- Vercel Web Application Firewall
- Vercel Firewall Concepts
- Next.js Middleware
- Vercel Analytics
- Vercel Observability and Logs
- Vercel REST API Reference
If you encounter issues not covered by this guide:
- Visit Vercel Support
- Check Vercel Community
- If you’re on a Pro or Enterprise plan, open a ticket directly in your Vercel Dashboard