IT Docs
Operations

Security

Protecting your app on Vercel — Deployment Protection for access control, the Firewall and WAF, bot management, and Attack Challenge Mode.

Vercel's security features fall into two buckets: controlling who can reach a deployment (Deployment Protection) and filtering malicious traffic (the Firewall and WAF). Every plan gets automatic, platform-wide DDoS mitigation underneath all of this.

Deployment Protection

Deployment Protection restricts who can view your preview and production URLs. The methods:

  • Vercel Authentication — only members of your Vercel team (and people they authorize) can view the deployment. The default, zero-config way to keep previews private.
  • Password Protection — gate a deployment behind a shared password.
  • Trusted IPs — allow access only from specific IP addresses or ranges (Enterprise).

You configure these per project and can scope them to preview only, production only, or both — a common setup is locking down previews while leaving production public.

Bypassing protection for automation

CI pipelines, E2E tests, and uptime monitors need to reach protected deployments without a human solving a challenge. Protection Bypass for Automation issues a token for exactly that: provide a valid token and the request skips Deployment Protection (Vercel Authentication, Password Protection, Trusted IPs) and bot challenges. Vercel exposes one secret as the VERCEL_AUTOMATION_BYPASS_SECRET environment variable, and you can create multiple secrets per project (one per tool). Crucially, the bypass does not lift active DDoS mitigations or attack-time rate limits — real attacks are still blocked.

The Firewall and WAF

The Vercel Firewall is a layered defense. The platform-wide layer automatically mitigates network-level (L3/L4) attacks like DDoS for every customer, regardless of plan. On top of it sits the Web Application Firewall (WAF), which you customize to filter application-layer (L7) traffic.

With the WAF you can write custom rules that log, block, challenge, or rate-limit requests based on 15+ parameters — path, location, IP, user agent, cookies, JA3/JA4 TLS fingerprints, and more. Vercel also provides managed rulesets that protect against common risks like the OWASP Top 10 (SQL injection, XSS) without you writing rules yourself. Because the WAF runs at the edge in the request path, traffic can't bypass it once enabled, and custom rule changes propagate globally in under ~300ms.

The Firewall tab in each project's sidebar gives you a live traffic view and alerts, so you can watch what's being allowed, challenged, and blocked, and drill into anomalies — which ties directly into Observability.

Bot management

The bot protection managed ruleset (available on all plans) challenges non-browser traffic with a JavaScript challenge, filtering automated threats while letting legitimate clients through. It catches requests that falsely claim to be a browser (for example, a curl request pretending to be Chrome) and automatically excludes verified bots like search-engine crawlers. You can run it in log mode (observe only) or challenge mode (enforce).

Bot protection relies on signals it reads directly from the client, so it doesn't work well behind a reverse proxy (Cloudflare, Azure, another CDN) in front of Vercel — the proxy masks the signals and legitimate users may get challenged.

Attack Challenge Mode

When you're under a targeted attack, Attack Challenge Mode requires every visitor to pass a security challenge before reaching your site, while known good bots (search engines, webhook providers) and your own internal requests (functions, cron jobs calling your other projects) pass through automatically. It's free on all plans, blocked requests don't count toward usage, and it's safe to leave on for extended periods without hurting SEO. Because the Firewall already handles routine DDoS automatically, reserve Attack Challenge Mode for highly targeted incidents rather than as a permanent setting — toggle it under Firewall → Bot Management.

A sensible baseline

For an internal tool: keep Vercel Authentication on for previews, enable the bot protection ruleset, set up a Protection Bypass secret for your CI/monitoring, and know where Attack Challenge Mode is if you ever need it. Layer in WAF custom rules (IP allow-lists, rate limits on sensitive routes) as the app grows.

On this page