Attack Challenge Mode
Learn how to use Attack Challenge Mode to help control who has access to your site when it's under attack.Attack Challenge Mode is a security feature that protects your site during DDoS attacks. When enabled, human visitors will see a quick challenge before accessing your site, while known bots (like search engines and webhook providers) are automatically allowed through.
The Vercel Firewall automatically mitigates against DDoS attacks, but Attack Challenge Mode provides an extra layer of protection for highly targeted attacks.
Attack Challenge Mode is available for free on all plans and requests blocked by challenge mode do not count towards your usage limits.
When Attack Challenge Mode is enabled, Vercel presents human visitors with a quick security check on their first visit. This verifies they're real people before allowing access to your site.
Visitors will see a Vercel Security Checkpoint that requires no interaction but will delay their experience for a few seconds:


The challenge page is localized to 22 languages based on the visitor's browser settings and respects their preferred color scheme.
Vercel maintains and continuously updates a comprehensive directory of known legitimate bots from across the internet. Attack Challenge Mode automatically recognizes and allows these bots to pass through without being challenged. Here are some examples of the bot categories and services that are automatically allowed:
- Advertising or marketing: Google Ads, Facebook Ads
- AI Assistant, Crawler, and Search: ChatGPT, Bing AI, ClaudeBot
- Feed fetcher: RSS readers, Feedly
- Monitoring or analytics: Google Analytics, Pingdom
- Page preview: Facebook Preview, X (Twitter) Cards
- Search engine crawler: Googlebot, Bingbot, Yandex
- Security tools: Security scanners, vulnerability checkers
- Social media marketing: LinkedIn, X (Twitter)
- Webhooks: Payment processors (Stripe, PayPal)
- Internal requests: See Internal Requests
This list shows just a small sample of the supported bots. Vercel's bot directory is regularly updated to include new legitimate services as they emerge, ensuring your SEO, analytics, integrations, and essential services continue to function even with Attack Challenge Mode enabled.
To block specific known bots instead of allowing them through, you can create a Custom Rule that matches their User Agent.
When Attack Challenge Mode is enabled, requests from your own Functions and Cron Jobs are automatically allowed through without being challenged. This means your application's internal operations will continue to work normally.
For example, if you have multiple projects in your Vercel account:
- Your projects can communicate with each other without being challenged
- Only requests from outside your account will be challenged
- Each Vercel account has its own secure boundary
Other Vercel accounts cannot bypass Attack Challenge Mode on your projects. The security is strictly enforced per account, ensuring that only your own projects can communicate without challenges.
While Vercel's Firewall automatically monitors for and mitigates attacks, you can enable Attack Challenge Mode during targeted attacks for additional security.
To enable:
- Select your project from the Dashboard.
- Navigate to the Firewall tab.
- Click the Enable Attack Challenge Mode button, and in the following dialog, select Enable.
All traffic initiated by web browsers, including API traffic, is supported. For example, a Next.js frontend calling a Next.js API in the same project will work properly.
Standalone APIs, other backend frameworks, and non-recognized automated services may not be able to pass challenges and could be blocked. If you need more control over what traffic is challenged, consider using Custom Rules with the Vercel WAF.
Attack Challenge Mode can be safely used for extended periods without affecting search engine indexing or webhook functionality. However, since Vercel's Firewall already provides automatic DDoS protection, we recommend using it primarily when facing highly targeted attacks rather than as a permanent setting.
When you no longer need the additional protection:
- Select your project from the Dashboard
- Navigate to the Firewall tab.
- Click the Disable Attack Challenge Mode button, and in the following dialog, select Disable.
For more granular control, you can challenge specific web traffic by defining a Custom Rule with the Vercel WAF.
Search engine crawlers like Googlebot are automatically allowed through Attack Challenge Mode without being challenged. This means enabling Attack Challenge Mode will not negatively impact your site's SEO or search engine indexing, even when used for extended periods.
- English
- Arabic
- Bengali
- Chinese
- French
- German
- Hindi
- Italian
- Japanese
- Javanese
- Korean
- Marathi
- Polish
- Portuguese
- Punjabi
- Russian
- Spanish
- Tamil
- Telugu
- Turkish
- Urdu
- Vietnamese
Attack Challenge Mode is available for free on all plans.
All mitigations by Attack Challenge Mode are free and unlimited, and there are zero costs associated with traffic blocked by Attack Challenge Mode.
Was this helpful?