In the following example, we send a Patch
request to the Update Firewall Configuration endpoint of the Vercel REST API security group. This request creates a new rule in your project's WAF configuration.
Both the conditionGroup
and action
body parameters are required fields
A cURL
(Client URL) request is often used by attackers to perform automated activities like scraping, brute force attacks, or other malicious activities. To mitigate such risks, create a custom rule using the following code:
app/api/firewall/route.ts
export async function PATCH() {
let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
let teamId = 'team_a5j...';
let projectId = 'QmTrK...';
const body = JSON.stringify({
action: 'rules.insert',
id: null,
value: {
active:
true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
name: 'Challenge Curl',
description: 'Challenge all traffic from curl requests',
conditionGroup: [
{
conditions: [
{
op: 'sub' /** Operator used to compare - sub is equivalent to "Contains" */,
type: 'user_agent' /** Parameter from incoming traffic */,
value: 'curl',
},
],
},
],
action: {
mitigate: {
action: 'challenge',
rateLimit: null,
redirect: null,
actionDuration: null,
},
},
},
});
let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
method: 'PATCH',
headers: {
Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
'Content-Type': 'application/json',
},
body,
});
if (!res.ok) {
return Response.json(
{ status: 'Failed to update Firewall' },
{ status: res.status },
);
}
return Response.json({ status: 'New rule added to Firewall' });
}