1 min read
You can now control Vercel’s Web Application Firewall (WAF) actions directly in vercel.json, alongside existing support in the dashboard, API, and terraform.
The has and missing matchers have also been enhanced to support more expressive conditions across headers, rewrites, redirects, and routes. Matching options include:
String equality and inequality
Regular expressions
Prefixes and suffixes
Inclusion and exclusion from string arrays
Numeric comparisons
The following example shows how to deny a request that is prefixed by a specific header:
{ "$schema": "https://openapi.vercel.sh/vercel.json", "routes": [ { "src": "/(.*)", "has": [ { "type": "header", "key": { "pre": "x-bad-header-" } } ], "mitigate": { "action": "deny" } } ]}Read more about Vercel's WAF and configuring WAF rules in vercel.json.