Vercel Web Application Firewall instantly propagates globally and scales on-demand to keep your application serving only desired traffic.
50k
40k
30k
20k
10k
0k
11:07:10
11:08:40
11:09:10
11:10:40
11:11:10
11:12:40
| System | Amount | Ratio |
|---|---|---|
| Default Web Traffic allow | 502.0k | 53.00% |
| Attack Challenge Mode challenge | 3.0k | 53.00% |
| DDoS Protection block | 1.0k | 53.00% |
| Total | 506.0k | 100% |
Log request starting with /
Challenge user agents that look like bots
Block traffic from Germany
Global propagation of firewall changes in 300ms ensures immediate enforcement of new and updated rules.
Secure your compute and backends from undesired traffic, at the edge.
Access framework-level target paths, like /blog/[slug] for more dynamic rule creation.
Automatically mitigate Layer 3, DDoS, and other high-volume attacks before they reach your applications.
Use the WAF's UI or API to define custom business logic and precisely control traffic.
Mitigate the most critical risks, like OWASP Top 10, using predefined advanced rulesets.
Browser checks help ensure that only legitimate users can access your application during an attack.
Custom protection for your web applications.
Get insights into what's blocked by Vercel Firewall.
Custom rule changes propagate globally in under 300ms, removing the delay between rule creation and enforcement.
Leverage Vercel's framework awareness of your application to make granular custom rules.
15+ parameters give you flexibility to determine what criteria should be met before taking an action.
Instant rollback of custom rules ensure accidental rule creations don't cause harm to your traffic.
Take action based on 15+ parameters, like: target path, location, IP, User Agent, JA4 and more.
Test rules by activate passively to see what would happen before you take action.
Run an automated browser check to verify a user's legitimacy before they access your application.
Block traffic that violates custom rules and make the blocks persistent for a specified time period.
Implement granular traffic frequency control to prevent app access abuse.
Vercel WAF builds on top of platform-wide, global security protecting all customers.
Monitor and manage the traffic that comes to your web applications.
Protects compute resources against malicious actors and threats like DDoS.
Vercel's WAF is a customizable security tool that protects each customer’s web applications from various online threats and attacks, it’s part of the larger Vercel Firewall that acts as a system-wide defense for all Vercel customers.
Yes, the WAF is available for use on all plans.
Vercel’s WAF sits at the edge and applies its logic to all incoming requests. Due to how the Vercel infrastructure is configured, a request cannot bypass the Vercel Firewall or WAF once enabled. Rules are evaluated against the incoming request in the order they are configured and act according to any actions met.
The Vercel WAF can be customized to a business’s own priorities to stop Layer 7/application layer attacks based on 15+ parameters like target path, request path, headers, cookies, user agents, JA3/JA4 digests, and more.
The system Vercel Firewall protects against Layer 3 attacks like DDoS and SYN flood attacks, while managed rulesets help protect against OWASP Top 10 risks like SQL injection and cross-site scripting (XSS).
Yes, you can customize rules and policies to fit your specific security needs.
Yes, it offers detailed logs and reports on security events and blocked threats by visiting the Firewall tab within the dashboard. The Firewall visibility is performed on a per-project basis and can link directly to Monitoring queries that can be used to conduct deeper investigations.
The WAF is embedded within the Vercel Edge Network and is therefore designed to work with all web applications hosted on Vercel. Prior to fulfilling any request, the WAF rules will be evaluated.
Go to your dashboard > Project > Firewall tab. For more information, read the documentation here.
Yes, you can set up different WAF configurations for each project.
Yes, you can configure WAF to block IP addresses in two ways: either via the business logic of a custom firewall rule or by leveraging WAF IP Blocks which performs IP denies even earlier in the request lifecycle.
It's recommended to review and update your rules regularly, especially after significant changes to your application.
The WAF is embedded into the same request lifecycle flow of the Vercel Edge Network and is designed to have minimal impact on performance while providing robust security.
Yes, it's built to scale and can handle high-traffic websites efficiently.
Prior to publishing a WAF rule with an action that would affect users, you can publish an active firewall rule with a “log” action which will enable you to passively observe how the rule would affect traffic. Upon evaluating the behavior of the rule, you can either further customize them or update the rule with the intended action.
You can adjust your WAF rules to reduce false positives, you are in full control of your WAF and changes propagate globally in around 300ms, meaning any changes you publish will immediately reflect globally.
Yes, it works with custom domains configured in your Vercel project.
