Scenario: After setting up authentication in your application, you would like to protect it against brute force attacks and other forms of abuse. To do so, you add a rate limiting rule for preventing abuse on the registration and login endpoints.
Select your project from the Vercel dashboard and select the Firewall tab
From the top right corner of the Firewall page, click the Configure button and then + New Rule
For the Name, enter "Auth Abuse Prevention"
For the Description, enter "Limits requests to registration and login endpoints to prevent abuse and brute force attacks"
In the Configure section, set up the following If condition:
^/api/auth/: Matches the beginning of the request path, ensuring it starts with /api/auth/
(?:register|signup|login|signin): Matches either register, signup, login, or signin
$: Ensures the pattern matches to the end of the request path
For the Then action, select Rate Limit
Select Fixed Window for the limiting strategy with the following values:
60s for the Time Window
10 for the Request Limit
IP Address as the key for the request source match
For the rate limiting Then action, choose Deny
Select Save Rule
Apply the changes:
When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
Select Review Changes and review the changes to be applied
Select Publish to apply the changes to your production deployment
This rule will apply to endpoints like /api/auth/register, /api/auth/signup and /api/auth/login, and will block any specific IP that tries to perform more than 10 requests in 60 seconds. This will prevent individual attackers from abusing these endpoints.
For distributed attacks, you can create a second rule with a similar configuration except for the following values:
100 for the Request Limit
User agent as the key for the request source match
This will limit requests from specific types of clients.
