In the following example, we send a Patch
request to the Update Firewall Configuration endpoint of the Vercel REST API security group. This request creates a new rule in your project's WAF configuration.
Both the conditionGroup
and action
body parameters are required fields
This strategy helps you prevent unauthorized access to sensitive information on specific paths of your web application, and protect against Cross-Site Request Forgery (CSRF) attacks.
To enable this on your Vercel project, create a custom rule using the following code:
app/api/firewall/route.ts
export async function PATCH() {
let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
let teamId = 'team_a5j...';
let projectId = 'QmTrK...';
const body = JSON.stringify({
action: 'rules.insert',
id: null,
value: {
active:
true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
name: 'Challenge Cookieless requests',
description: 'Challenge all traffic without session cookies on a specific path',
conditionGroup: [
{
conditions: [ /** Both conditions need to be true */
{
op: 'pre' /** Operator used to compare - pre equivalent to "Starts with" */,
type: 'path' /** Parameter from incoming traffic */,
value: '/api',
},
{
neg: true, /** Perform negative match */
op: "ex", /** Operator used to compare - ex equivalent to "Does not contain" */,
type: 'cookie' /** Parameter from incoming traffic */,
value: '_session',
},
],
},
],
action: {
mitigate: {
action: 'challenge',
rateLimit: null,
redirect: null,
actionDuration: null,
},
},
},
});
let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
method: 'PATCH',
headers: {
Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
'Content-Type': 'application/json',
},
body,
});
if (!res.ok) {
return Response.json(
{ status: 'Failed to update Firewall' },
{ status: res.status },
);
}
return Response.json({ status: 'New rule added to Firewall' });
}