vercel-firewall
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseVercel Firewall
Vercel Firewall
You are an expert in the Vercel Firewall — a multi-layered security solution with automatic DDoS protection, a customizable Web Application Firewall (WAF), bot management, and rate limiting.
您是Vercel Firewall方面的专家——这是一款多层安全解决方案,具备自动DDoS防护、可自定义的Web应用防火墙(WAF)、机器人管理和速率限制功能。
Architecture & Rule Execution Order
架构与规则执行顺序
- DDoS mitigation rules (automatic, platform-wide)
- WAF IP blocking rules
- WAF custom rules (in priority order)
- WAF Managed Rulesets (OWASP, Bot Protection, AI Bots)
Changes propagate globally in under 300ms. No redeployment required.
- DDoS缓解规则(自动生效,全平台覆盖)
- WAF IP阻止规则
- WAF自定义规则(按优先级排序)
- WAF托管规则集(OWASP、机器人防护、AI机器人)
配置变更会在300毫秒内全球同步生效,无需重新部署。
DDoS Protection (Automatic, All Plans)
DDoS防护(自动生效,所有套餐均包含)
- Layer 3/4 mitigation (automatic, always on)
- Layer 7 protection (proprietary, tailored to web apps)
- Protectd: Vercel's DoS mitigation infrastructure analyzes ~550K events/sec globally with median mitigation time of 2.5 seconds
- 40x faster detection with real-time stream processing
- Handles 1B+ suspicious TCP connections per week
- Proven to mitigate 1.37 Tbps attacks with zero downtime
No configuration needed — DDoS protection is always active.
- 第3/4层缓解(自动启用,始终生效)
- 第7层防护(专有技术,针对Web应用定制)
- Protectd:Vercel的DoS缓解基础设施全球每秒分析约55万次事件,平均缓解时间仅2.5秒
- 实时流处理技术使检测速度提升40倍
- 每周处理超过10亿次可疑TCP连接
- 已验证可缓解1.37 Tbps的攻击,且实现零停机
无需任何配置——DDoS防护始终处于激活状态。
WAF Custom Rules
WAF自定义规则
Rule JSON Structure
规则JSON结构
json
{
"name": "Block WordPress scanners",
"description": "Block common WordPress probe paths",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "path",
"op": "re",
"value": "^/wp-(admin|login|content|includes)/"
}
]
}
],
"action": {
"mitigate": {
"action": "deny"
}
}
}Logic: Each object in is an OR group. Conditions within a single group are ANDed. Multiple groups are ORed.
conditionGroupjson
{
"name": "Block WordPress scanners",
"description": "Block common WordPress probe paths",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "path",
"op": "re",
"value": "^/wp-(admin|login|content|includes)/"
}
]
}
],
"action": {
"mitigate": {
"action": "deny"
}
}
}逻辑:中的每个对象是一个OR组,单个组内的条件为AND关系,多个组之间为OR关系。
conditionGroupCondition Types (25 available)
条件类型(共25种)
| Type | Description | Extra Fields |
|---|---|---|
| URL path | |
| HTTP method | |
| Hostname | |
| Client IP (supports CIDR) | |
| User-Agent string | |
| Request header value | |
| Query string parameter | |
| Cookie value | |
| ISO country code (e.g., | |
| Continent code (e.g., | |
| State/province code | |
| City name | |
| ASN | |
| JA4 TLS fingerprint | |
| JA3 TLS fingerprint | |
| Resolved path after routing | |
| Matched route pattern | |
| Raw unparsed path | |
| Vercel edge region code | |
| http/https | |
| URL scheme | |
| Deployment environment | |
| Specific bot name | |
| Bot category | |
| Next.js Server Action ID |
| 类型 | 描述 | 额外字段 |
|---|---|---|
| URL路径 | |
| HTTP方法 | |
| 主机名 | |
| 客户端IP(支持CIDR格式) | |
| User-Agent字符串 | |
| 请求头值 | |
| 查询字符串参数 | |
| Cookie值 | |
| ISO国家代码(例如: | |
| 大洲代码(例如: | |
| 州/省代码 | |
| 城市名称 | |
| ASN(自治系统号) | |
| JA4 TLS指纹 | |
| JA3 TLS指纹 | |
| 路由解析后的路径 | |
| 匹配的路由模式 | |
| 原始未解析路径 | |
| Vercel边缘区域代码 | |
| http/https | |
| URL协议 | |
| 部署环境 | |
| 特定机器人名称 | |
| 机器人类别 | |
| Next.js Server Action ID |
Condition Operators
条件运算符
| Op | Meaning |
|---|---|
| Equals |
| Not equals |
| Regex match |
| Starts with |
| Ends with |
| Contains |
| In array |
| Not in array |
| Exists |
| Not exists |
| Greater than (or equal) |
| Less than (or equal) |
Additional optional fields: negates the condition, required for // types.
neg: truekeyheaderquerycookie| 运算符 | 含义 |
|---|---|
| 等于 |
| 不等于 |
| 正则匹配 |
| 以...开头 |
| 以...结尾 |
| 包含 |
| 在数组中 |
| 不在数组中 |
| 存在 |
| 不存在 |
| 大于(或等于) |
| 小于(或等于) |
额外可选字段: 表示对条件取反,//类型需要指定字段。
neg: trueheaderquerycookiekeyMitigation Actions
缓解动作
| Action | Description |
|---|---|
| Log only, allow traffic |
| Block request (403) |
| JavaScript browser challenge |
| Skip all subsequent WAF rules |
| Apply rate limiting (requires |
| Redirect (requires |
| 动作 | 描述 |
|---|---|
| 仅记录日志,允许流量通过 |
| 阻止请求(返回403) |
| 发起JavaScript浏览器验证挑战 |
| 跳过后续所有WAF规则 |
| 应用速率限制(需要 |
| 重定向(需要 |
Persistent Actions
持久化动作
By default each request is evaluated individually. With persistent actions, rules are applied to all matching requests for a customizable duration (), allowing the firewall to remember malicious behavior and block it earlier in the lifecycle.
actionDuration默认情况下,每个请求会被单独评估。启用持久化动作后,规则会在自定义时长()内应用于所有匹配的请求,使防火墙能够记住恶意行为并在生命周期早期阻止。
actionDurationAction Options
动作选项
json
{
"action": {
"mitigate": {
"action": "deny",
"actionDuration": "1h",
"bypassSystem": false,
"logHeaders": ["user-agent", "x-forwarded-for"],
"redirect": {
"location": "https://example.com/blocked",
"permanent": false
}
}
}
}json
{
"action": {
"mitigate": {
"action": "deny",
"actionDuration": "1h",
"bypassSystem": false,
"logHeaders": ["user-agent", "x-forwarded-for"],
"redirect": {
"location": "https://example.com/blocked",
"permanent": false
}
}
}
}Practical Rule Examples
实用规则示例
Block Sanctioned Countries
阻止受制裁国家的访问
json
{
"name": "Block OFAC Sanctioned Countries",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "geo_country",
"op": "inc",
"value": ["CU", "IR", "KP", "RU", "SY"]
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}json
{
"name": "Block OFAC Sanctioned Countries",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "geo_country",
"op": "inc",
"value": ["CU", "IR", "KP", "RU", "SY"]
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}Require API Key Header on /api/ Routes
/api/路由要求携带API Key请求头
json
{
"name": "Require API Key",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "header",
"op": "nex",
"key": "x-api-key"
},
{
"type": "path",
"op": "pre",
"value": "/api/"
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}json
{
"name": "Require API Key",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "header",
"op": "nex",
"key": "x-api-key"
},
{
"type": "path",
"op": "pre",
"value": "/api/"
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}Block by JA4 TLS Fingerprint
通过JA4 TLS指纹阻止访问
json
{
"name": "Block Known Malicious JA4",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "ja4_digest",
"op": "eq",
"value": "t13d1516h2_8daaf6152771_b0da82dd1658"
}
]
}
],
"action": {
"mitigate": { "action": "deny", "actionDuration": "1h" }
}
}json
{
"name": "Block Known Malicious JA4",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "ja4_digest",
"op": "eq",
"value": "t13d1516h2_8daaf6152771_b0da82dd1658"
}
]
}
],
"action": {
"mitigate": { "action": "deny", "actionDuration": "1h" }
}
}Block Datacenter ASNs
阻止数据中心ASN的访问
json
{
"name": "Block Known Datacenter ASNs",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "geo_as_number",
"op": "inc",
"value": ["14618", "16509", "15169"]
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}json
{
"name": "Block Known Datacenter ASNs",
"active": true,
"conditionGroup": [
{
"conditions": [
{
"type": "geo_as_number",
"op": "inc",
"value": ["14618", "16509", "15169"]
}
]
}
],
"action": {
"mitigate": { "action": "deny" }
}
}Challenge cURL Requests
对cURL请求发起验证挑战
json
{
"name": "Challenge cURL",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "user_agent", "op": "re", "value": "^curl/" }
]
}
],
"action": {
"mitigate": { "action": "challenge" }
}
}json
{
"name": "Challenge cURL",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "user_agent", "op": "re", "value": "^curl/" }
]
}
],
"action": {
"mitigate": { "action": "challenge" }
}
}Rate Limiting
速率限制
Rate Limit Rule
速率限制规则
json
{
"name": "API Rate Limit - 100 req/min",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "pre", "value": "/api/" }
]
}
],
"action": {
"mitigate": {
"action": "rate_limit",
"rateLimit": {
"algo": "fixed_window",
"window": 60,
"limit": 100,
"keys": ["ip"],
"action": "deny"
}
}
}
}json
{
"name": "API Rate Limit - 100 req/min",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "pre", "value": "/api/" }
]
}
],
"action": {
"mitigate": {
"action": "rate_limit",
"rateLimit": {
"algo": "fixed_window",
"window": 60,
"limit": 100,
"keys": ["ip"],
"action": "deny"
}
}
}
}Login Endpoint Protection
登录端点防护
json
{
"name": "Login Rate Limit",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "eq", "value": "/api/auth/login" },
{ "type": "method", "op": "eq", "value": "POST" }
]
}
],
"action": {
"mitigate": {
"action": "rate_limit",
"rateLimit": {
"algo": "fixed_window",
"window": 60,
"limit": 10,
"keys": ["ip"],
"action": "challenge"
}
}
}
}json
{
"name": "Login Rate Limit",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "eq", "value": "/api/auth/login" },
{ "type": "method", "op": "eq", "value": "POST" }
]
}
],
"action": {
"mitigate": {
"action": "rate_limit",
"rateLimit": {
"algo": "fixed_window",
"window": 60,
"limit": 10,
"keys": ["ip"],
"action": "challenge"
}
}
}
}Rate Limit Configuration Options
速率限制配置选项
| Field | Type | Description |
|---|---|---|
| string | |
| number | Seconds. Min 10, max 600 (Pro), max 3600 (Enterprise) |
| number | Max requests per window |
| array | Count per: |
| string | When exceeded: |
When exceeded with , returns HTTP 429 with and headers.
denyX-RateLimit-LimitX-RateLimit-Remaining| 字段 | 类型 | 描述 |
|---|---|---|
| 字符串 | |
| 数字 | 时间窗口(秒)。最低10秒,专业版最高600秒,企业版最高3600秒 |
| 数字 | 时间窗口内的最大请求数 |
| 数组 | 统计维度: |
| 字符串 | 超出限制时的动作: |
当触发动作时,会返回HTTP 429状态码,并携带和响应头。
denyX-RateLimit-LimitX-RateLimit-RemainingBot Management
机器人管理
Bot Protection (GA — Free on All Plans)
机器人防护(正式版——所有套餐免费)
Heuristics-based detection that challenges non-browser bot traffic without disrupting verified webhook providers. Formerly "Bot Filter" during beta — renamed to Bot Protection at GA. Enable in log-only mode first to preview traffic impact:
json
{
"action": "managedRules.update",
"id": "bot_protection",
"value": { "active": true, "action": "challenge" }
}Note: The olderID is deprecated. Usebot_filterin new configurations.bot_protection
基于启发式算法的检测机制,会对非浏览器机器人流量发起验证挑战,但不会影响已验证的Webhook提供商。测试阶段名为“Bot Filter”,正式发布时更名为Bot Protection。建议先启用日志模式预览对流量的影响:
json
{
"action": "managedRules.update",
"id": "bot_protection",
"value": { "active": true, "action": "challenge" }
}注意:旧版ID已被弃用,新配置请使用bot_filter。bot_protection
AI Bot Blocking
AI机器人阻止
Block known AI crawlers (GPTBot, ClaudeBot, etc.):
json
{
"action": "managedRules.update",
"id": "ai_bots",
"value": { "active": true, "action": "deny" }
}阻止已知的AI爬虫(如GPTBot、ClaudeBot等):
json
{
"action": "managedRules.update",
"id": "ai_bots",
"value": { "active": true, "action": "deny" }
}Allow a Specific Bot (Bypass Rule)
允许特定机器人(绕过规则)
Place this higher in priority than Bot Protection managed rules:
json
{
"name": "Allow My Monitoring Bot",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "user_agent", "op": "eq", "value": "MyMonitorBot/1.0" }
]
}
],
"action": {
"mitigate": { "action": "bypass" }
}
}请将此规则的优先级设置为高于Bot Protection托管规则:
json
{
"name": "Allow My Monitoring Bot",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "user_agent", "op": "eq", "value": "MyMonitorBot/1.0" }
]
}
],
"action": {
"mitigate": { "action": "bypass" }
}
}Enable BotID (Traffic Visibility)
启用BotID(流量可见性)
json
{ "botIdEnabled": true }json
{ "botIdEnabled": true }IP Allow/Block Lists
IP允许/阻止列表
Block an IP
阻止单个IP
json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "203.0.113.45",
"action": "deny",
"notes": "Malicious scraper"
}
}json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "203.0.113.45",
"action": "deny",
"notes": "Malicious scraper"
}
}Block a CIDR Range
阻止CIDR网段
json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "203.0.113.0/24",
"action": "deny",
"notes": "Bad actor CIDR block"
}
}json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "203.0.113.0/24",
"action": "deny",
"notes": "Bad actor CIDR block"
}
}Allow an IP (Bypass All Rules)
允许单个IP(绕过所有规则)
json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "198.51.100.1",
"action": "bypass",
"notes": "Internal monitoring IP"
}
}json
{
"action": "ip.insert",
"value": {
"hostname": "my-site.com",
"ip": "198.51.100.1",
"action": "bypass",
"notes": "Internal monitoring IP"
}
}IP Rule Actions
IP规则动作
| Action | Effect |
|---|---|
| Block the IP |
| Serve JS challenge |
| Log traffic only |
| Allow through all rules (allowlist) |
Note: must match the exact domain. Add separate entries per subdomain.
hostname| 动作 | 效果 |
|---|---|
| 阻止该IP |
| 发起JS验证挑战 |
| 仅记录流量 |
| 允许绕过所有规则(白名单) |
注意:必须与域名完全匹配,每个子域名需单独添加条目。
hostnameOWASP Core Ruleset (CRS)
OWASP核心规则集(CRS)
Individual CRS Rules
单个CRS规则
| ID | Protection |
|---|---|
| SQL Injection |
| Cross-Site Scripting |
| Remote Code Execution |
| Local File Inclusion |
| Remote File Inclusion |
| Scanner Detection |
| Multipart Attack |
| PHP-specific exploits |
| Generic attack patterns |
| Session Fixation |
| Java-specific exploits |
| ID | 防护类型 |
|---|---|
| SQL注入 |
| 跨站脚本攻击 |
| 远程代码执行 |
| 本地文件包含 |
| 远程文件包含 |
| 扫描器检测 |
| 多部分攻击 |
| PHP特定漏洞利用 |
| 通用攻击模式 |
| 会话固定 |
| Java特定漏洞利用 |
Enable OWASP Rules
启用OWASP规则
json
{
"action": "crs.update",
"id": "sqli",
"value": { "active": true, "action": "deny" }
}json
{
"action": "crs.update",
"id": "sqli",
"value": { "active": true, "action": "deny" }
}Full OWASP + Bot Configuration (PUT)
完整OWASP + 机器人配置(PUT请求)
json
{
"firewallEnabled": true,
"crs": {
"sqli": { "active": true, "action": "deny" },
"xss": { "active": true, "action": "deny" },
"rce": { "active": true, "action": "deny" },
"lfi": { "active": true, "action": "deny" },
"rfi": { "active": true, "action": "deny" },
"sd": { "active": true, "action": "log" },
"ma": { "active": true, "action": "deny" },
"gen": { "active": true, "action": "deny" },
"sf": { "active": true, "action": "deny" },
"php": { "active": false, "action": "log" },
"java": { "active": false, "action": "log" }
},
"managedRules": {
"owasp": { "active": true, "action": "deny" },
"bot_protection": { "active": true, "action": "challenge" },
"ai_bots": { "active": true, "action": "deny" }
},
"botIdEnabled": true
}json
{
"firewallEnabled": true,
"crs": {
"sqli": { "active": true, "action": "deny" },
"xss": { "active": true, "action": "deny" },
"rce": { "active": true, "action": "deny" },
"lfi": { "active": true, "action": "deny" },
"rfi": { "active": true, "action": "deny" },
"sd": { "active": true, "action": "log" },
"ma": { "active": true, "action": "deny" },
"gen": { "active": true, "action": "deny" },
"sf": { "active": true, "action": "deny" },
"php": { "active": false, "action": "log" },
"java": { "active": false, "action": "log" }
},
"managedRules": {
"owasp": { "active": true, "action": "deny" },
"bot_protection": { "active": true, "action": "challenge" },
"ai_bots": { "active": true, "action": "deny" }
},
"botIdEnabled": true
}Firewall REST API
Firewall REST API
Base URL:
Auth:
Query params:
https://api.vercel.comAuthorization: Bearer <VERCEL_TOKEN>?projectId=<id>&teamId=<id>基础URL:
认证方式:
查询参数:
https://api.vercel.comAuthorization: Bearer <VERCEL_TOKEN>?projectId=<id>&teamId=<id>Endpoints
端点
| Method | Path | Description |
|---|---|---|
| | Read current config |
| | Incremental update (add/remove/update rules) |
| | Full config replacement |
| | Create temporary bypass rule |
| 方法 | 路径 | 描述 |
|---|---|---|
| | 读取当前配置 |
| | 增量更新(添加/删除/更新规则) |
| | 全量替换配置 |
| | 创建临时绕过规则 |
PATCH Actions
PATCH动作
| Action | Description |
|---|---|
| Enable/disable firewall (value: boolean) |
| Add a custom rule |
| Update rule (requires |
| Delete rule (requires |
| Reorder rule (requires |
| Add IP rule |
| Update IP rule |
| Delete IP rule |
| Enable/configure OWASP CRS rule |
| Disable entire CRS |
| Configure managed ruleset |
| 动作 | 描述 |
|---|---|
| 启用/禁用防火墙(值为布尔类型) |
| 添加自定义规则 |
| 更新规则(需要 |
| 删除规则(需要 |
| 调整规则优先级(需要 |
| 添加IP规则 |
| 更新IP规则 |
| 删除IP规则 |
| 启用/配置OWASP CRS规则 |
| 禁用整个CRS规则集 |
| 配置托管规则集 |
Add a Rule via cURL
通过cURL添加规则
bash
curl -X PATCH "https://api.vercel.com/v1/security/firewall/config?projectId=prj_xxx&teamId=team_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"action": "rules.insert",
"value": {
"name": "Block WordPress scanners",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "re", "value": "^/wp-(admin|login|content|includes)/" }
]
}
],
"action": { "mitigate": { "action": "deny" } }
}
}'bash
curl -X PATCH "https://api.vercel.com/v1/security/firewall/config?projectId=prj_xxx&teamId=team_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"action": "rules.insert",
"value": {
"name": "Block WordPress scanners",
"active": true,
"conditionGroup": [
{
"conditions": [
{ "type": "path", "op": "re", "value": "^/wp-(admin|login|content|includes)/" }
]
}
],
"action": { "mitigate": { "action": "deny" } }
}
}'Vercel SDK Usage
Vercel SDK使用示例
ts
import { Vercel } from '@vercel/sdk'
const vercel = new Vercel({ bearerToken: process.env.VERCEL_TOKEN })
// Read current firewall config
const config = await vercel.security.readFirewallConfig({
configVersion: 'active',
projectId: 'prj_xxx',
teamId: 'team_xxx',
})
// Add a rule
await vercel.security.updateFirewallConfig({
projectId: 'prj_xxx',
teamId: 'team_xxx',
requestBody: {
action: 'rules.insert',
value: {
name: 'Rate limit API',
active: true,
conditionGroup: [
{ conditions: [{ type: 'path', op: 'pre', value: '/api/' }] },
],
action: {
mitigate: {
action: 'rate_limit',
rateLimit: { algo: 'fixed_window', window: 60, limit: 100, keys: ['ip'], action: 'deny' },
},
},
},
},
})ts
import { Vercel } from '@vercel/sdk'
const vercel = new Vercel({ bearerToken: process.env.VERCEL_TOKEN })
// 读取当前防火墙配置
const config = await vercel.security.readFirewallConfig({
configVersion: 'active',
projectId: 'prj_xxx',
teamId: 'team_xxx',
})
// 添加规则
await vercel.security.updateFirewallConfig({
projectId: 'prj_xxx',
teamId: 'team_xxx',
requestBody: {
action: 'rules.insert',
value: {
name: 'Rate limit API',
active: true,
conditionGroup: [
{ conditions: [{ type: 'path', op: 'pre', value: '/api/' }] },
],
action: {
mitigate: {
action: 'rate_limit',
rateLimit: { algo: 'fixed_window', window: 60, limit: 100, keys: ['ip'], action: 'deny' },
},
},
},
},
})Create Temporary Bypass (Attack Challenge Mode)
创建临时绕过规则(Attack Challenge Mode场景)
bash
curl -X POST "https://api.vercel.com/v1/security/firewall/bypass?projectId=prj_xxx&teamId=team_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domain": "my-site.com",
"sourceIp": "198.51.100.42",
"ttl": 3600000,
"note": "Temporary bypass for load testing"
}'bash
curl -X POST "https://api.vercel.com/v1/security/firewall/bypass?projectId=prj_xxx&teamId=team_xxx" \
-H "Authorization: Bearer $VERCEL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domain": "my-site.com",
"sourceIp": "198.51.100.42",
"ttl": 3600000,
"note": "Temporary bypass for load testing"
}'vercel.json WAF Rules
vercel.json中的WAF规则
Declaratively define firewall rules in using the key:
vercel.jsonmitigatejson
{
"$schema": "https://openapi.vercel.sh/vercel.json",
"routes": [
{
"src": "/api/(.*)",
"missing": [
{ "type": "header", "key": "x-internal-token" }
],
"mitigate": { "action": "deny" }
},
{
"src": "/(.*)",
"has": [
{ "type": "header", "key": "user-agent", "value": "(?i)^curl/" }
],
"mitigate": { "action": "challenge" }
}
]
}Supported actions in : , only. Rate limiting, , and require the Vercel Firewall dashboard at or the REST API.
vercel.json"challenge""deny"logbypasshttps://vercel.com/{team}/{project}/firewall可以通过字段在中声明式定义防火墙规则:
mitigatevercel.jsonjson
{
"$schema": "https://openapi.vercel.sh/vercel.json",
"routes": [
{
"src": "/api/(.*)",
"missing": [
{ "type": "header", "key": "x-internal-token" }
],
"mitigate": { "action": "deny" }
},
{
"src": "/(.*)",
"has": [
{ "type": "header", "key": "user-agent", "value": "(?i)^curl/" }
],
"mitigate": { "action": "challenge" }
}
]
}vercel.json"challenge""deny"logbypasshttps://vercel.com/{team}/{project}/firewallAttack Challenge Mode
Attack Challenge Mode
- Available on all plans (free)
- Shows browser verification challenge to all visitors during active attacks
- Legitimate bots (Googlebot, webhook providers) automatically pass through
- Internal Function-to-Function calls within the same account bypass automatically
- Blocked requests don't count toward CDN/traffic usage
- Configured via dashboard only: open → Bot Management → Attack Challenge Mode
https://vercel.com/{team}/{project}/firewall
- 所有套餐均支持(免费)
- 在攻击活跃期间,向所有访问者显示浏览器验证挑战
- 合法机器人(如Googlebot、Webhook提供商)可自动通过验证
- 同一账户内的函数间调用会自动绕过验证
- 被阻止的请求不计入CDN/流量使用量
- 仅可通过控制台配置:打开→ 机器人管理 → Attack Challenge Mode
https://vercel.com/{team}/{project}/firewall
Plan Availability
套餐可用性
| Feature | Hobby | Pro | Enterprise |
|---|---|---|---|
| DDoS Protection | All | All | All |
| Custom Rules | 5 | 40 | 1000 |
| Rate Limiting | 1 rule | 40 rules | 1000 rules |
| Bot Protection (GA) | Yes | Yes | Yes |
| OWASP CRS | — | — | Yes |
| Token Bucket algo | — | — | Yes |
| Custom rate limit keys | — | — | Yes |
| 功能 | 免费版 | 专业版 | 企业版 |
|---|---|---|---|
| DDoS防护 | ✅ | ✅ | ✅ |
| 自定义规则 | 5条 | 40条 | 1000条 |
| 速率限制 | 1条规则 | 40条规则 | 1000条规则 |
| 机器人防护(正式版) | ✅ | ✅ | ✅ |
| OWASP CRS | ❌ | ❌ | ✅ |
| Token Bucket算法 | ❌ | ❌ | ✅ |
| 自定义速率限制维度 | ❌ | ❌ | ✅ |
Observability
可观测性
- Security event logs in the Firewall tab
- IP enrichment — hover any IP in the Firewall dashboard to see ASN, location, and metadata
- Create custom WAF rules directly from dashboard traffic charts (select "Create Custom Rule" from the actions menu)
- Linkable to Monitoring queries for investigations
- DDoS mitigation notifications (alerts on detection)
- BotID traffic visibility when enabled
- 防火墙标签页中的安全事件日志
- IP增强信息——在防火墙控制台中悬停任意IP,可查看ASN、位置和元数据
- 可直接从控制台流量图表创建自定义WAF规则(从操作菜单中选择“创建自定义规则”)
- 可关联到监控查询进行调查
- DDoS缓解通知(检测到攻击时触发警报)
- 启用BotID后可查看流量可见性数据