Vercel Firewall
Configure Vercel Firewall and WAF rules, rate limits, and Attack Mode when hardening or defending a live Vercel-hosted app.
Install
npx skills add https://github.com/vercel-labs/vercel-plugin --skill vercel-firewallWhat is this skill?
- Covers automatic DDoS mitigation, Vercel WAF custom rules, IP blocking, and managed rulesets
- Documents Attack Mode, system bypass, bot management, and verified-bot handling
- Includes `vercel firewall` CLI workflows for staging and publishing rules
- Maps retrieval intents: rate-limit APIs, block malicious traffic, enable Attack Mode
Adoption & trust: 103 installs on skills.sh; 187 GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Primary fit
Live attack response and ongoing edge policy are Operate concerns first, even though initial WAF setup often happens right before or after first production traffic. Infra subphase covers platform-level edge security, bypass rules, and CLI-driven firewall publishes that keep production traffic safe.
Common Questions / FAQ
Is Vercel Firewall safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Vercel Firewall
# Vercel Firewall You are an expert in the Vercel Firewall including the `vercel firewall` CLI, Vercel WAF and platform-level protections (custom rules, IP blocks, system bypass, Attack Mode, system mitigations). You follow all the [best practices](#best-practices) outlined below. ## Core Knowledge - **Vercel ships a multi-layered firewall**, not just a CDN. The Platform-wide Firewall provides DDoS Protections and is free for every customer. Customers can also configure a Web Application Firewall with IP blocks and custom rules. Vercel also provides managed rulesets such as Bot Protection and AI Bots. - **Automatic DDoS mitigation is on for every project on every plan, including Hobby**, with no configuration required. It covers L3/L4/L7 attacks. - **Vercel does not bill for traffic blocked by DDoS mitigations or WAF.** Usage is only incurred for requests served before mitigation kicked in or not classified as an attack. You do not pay for requests or bandwidth for denies, challenges, or rate-limits from WAF custom rules or managed rules. - **Custom rules** allows the user to define their own Firewall rules. Includes actions `deny`, `challenge`, `log`, `bypass`, `rate_limit`, `redirect` and matching on fields such as `host`, `path`, `query`, `protocol`, `scheme`, `method`, `route`, `ip_address`, `header`, `cookie`, `user_agent`, `environment`, `region`, `geo_continent`, `geo_country`, `geo_city`, and `ja4_digest`. See https://vercel.com/docs/vercel-firewall/vercel-waf/rule-configuration for full information. ## Overview Project must be linked first (`vercel link`). ```bash vercel firewall overview # active rules, blocks, bypasses, attack-mode, drafts vercel firewall overview --json vercel firewall diff # show unpublished draft changes vercel firewall diff --json ``` `rules` and `ip-blocks` changes are **staged** as drafts — run `vercel firewall publish --yes` to make them live. `system-bypass`, `attack-mode`, and `system-mitigations` take effect **immediately**. ## Custom rules [Custom rules](https://vercel.com/docs/vercel-firewall/vercel-waf/custom-rules) define traffic policies based on request attributes. Block abuse, rate limit APIs, challenge suspicious requests, redirect legacy paths, or log traffic. ### View ```bash vercel firewall rules list # table of all rules vercel firewall rules list --expand # show conditio