Attack Challenge Mode

Learn how to use Attack Challenge Mode to help control who has access to your site when it's under attack.

Attack Challenge Mode is available on all plans

Those with the member role can access this feature

Attack Challenge Mode is a security feature that protects your site during DDoS attacks. When enabled, human visitors will see a quick challenge before accessing your site, while known bots (like search engines and webhook providers) are automatically allowed through.

The Vercel Firewall automatically mitigates against DDoS attacks, but Attack Challenge Mode provides an extra layer of protection for highly targeted attacks.

Attack Challenge Mode is available for free on all plans and requests blocked by challenge mode do not count towards your usage limits.

What is a challenge?

When Attack Challenge Mode is enabled, Vercel presents human visitors with a quick security check on their first visit. This verifies they're real people before allowing access to your site.

Visitors will see a Vercel Security Checkpoint that requires no interaction but will delay their experience for a few seconds:

Vercel Challenge Page
Vercel Challenge Page

The challenge page is localized to 22 languages based on the visitor's browser settings and respects their preferred color scheme.

Known Bots Support

Vercel maintains and continuously updates a comprehensive directory of known legitimate bots from across the internet. Attack Challenge Mode automatically recognizes and allows these bots to pass through without being challenged. Here are some examples of the bot categories and services that are automatically allowed:

  • Advertising or marketing: Google Ads, Facebook Ads
  • AI Assistant, Crawler, and Search: ChatGPT, Bing AI, ClaudeBot
  • Feed fetcher: RSS readers, Feedly
  • Monitoring or analytics: Google Analytics, Pingdom
  • Page preview: Facebook Preview, X (Twitter) Cards
  • Search engine crawler: Googlebot, Bingbot, Yandex
  • Security tools: Security scanners, vulnerability checkers
  • Social media marketing: LinkedIn, X (Twitter)
  • Webhooks: Payment processors (Stripe, PayPal)
  • Internal requests: See Internal Requests

This list shows just a small sample of the supported bots. Vercel's bot directory is regularly updated to include new legitimate services as they emerge, ensuring your SEO, analytics, integrations, and essential services continue to function even with Attack Challenge Mode enabled.

To block specific known bots instead of allowing them through, you can create a Custom Rule that matches their User Agent.

Internal Requests

When Attack Challenge Mode is enabled, requests from your own Functions and Cron Jobs are automatically allowed through without being challenged. This means your application's internal operations will continue to work normally.

For example, if you have multiple projects in your Vercel account:

  • Your projects can communicate with each other without being challenged
  • Only requests from outside your account will be challenged
  • Each Vercel account has its own secure boundary

Other Vercel accounts cannot bypass Attack Challenge Mode on your projects. The security is strictly enforced per account, ensuring that only your own projects can communicate without challenges.

Enabling Attack Challenge Mode

While Vercel's Firewall automatically monitors for and mitigates attacks, you can enable Attack Challenge Mode during targeted attacks for additional security.

To enable:

  1. Select your project from the Dashboard.
  2. Navigate to the Firewall tab.
  3. Click the Enable Attack Challenge Mode button, and in the following dialog, select Enable.

All traffic initiated by web browsers, including API traffic, is supported. For example, a Next.js frontend calling a Next.js API in the same project will work properly.

Standalone APIs, other backend frameworks, and non-recognized automated services may not be able to pass challenges and could be blocked. If you need more control over what traffic is challenged, consider using Custom Rules with the Vercel WAF.

How long to keep it enabled

Attack Challenge Mode can be safely used for extended periods without affecting search engine indexing or webhook functionality. However, since Vercel's Firewall already provides automatic DDoS protection, we recommend using it primarily when facing highly targeted attacks rather than as a permanent setting.

Disabling Attack Challenge Mode

When you no longer need the additional protection:

  1. Select your project from the Dashboard
  2. Navigate to the Firewall tab.
  3. Click the Disable Attack Challenge Mode button, and in the following dialog, select Disable.

Challenging with Custom Rules

For more granular control, you can challenge specific web traffic by defining a Custom Rule with the Vercel WAF.

Search indexing

Search engine crawlers like Googlebot are automatically allowed through Attack Challenge Mode without being challenged. This means enabling Attack Challenge Mode will not negatively impact your site's SEO or search engine indexing, even when used for extended periods.

Supported Languages

  • English
  • Arabic
  • Bengali
  • Chinese
  • French
  • German
  • Hindi
  • Italian
  • Japanese
  • Javanese
  • Korean
  • Marathi
  • Polish
  • Portuguese
  • Punjabi
  • Russian
  • Spanish
  • Tamil
  • Telugu
  • Turkish
  • Urdu
  • Vietnamese

Pricing

Attack Challenge Mode is available for free on all plans.

All mitigations by Attack Challenge Mode are free and unlimited, and there are zero costs associated with traffic blocked by Attack Challenge Mode.

Last updated on March 12, 2025
Previous
Spend Management
Next
Audit Logs