WAF Managed Rulesets

Managed rulesets are collections of predefined WAF rules based on standards such as Open Worldwide Application Security Project (OWASP) Top Ten that you can enable and configure in your project's Firewall dashboard.

The following ruleset(s) are currently available:

• OWASP core ruleset
• Bot protection managed ruleset
• AI Bots managed ruleset

• You need to be a Developer or viewer (Viewer Pro or Viewer Enterprise) in the team to view the Firewall overview page and list the rules
• You need to be a Project administrator or Team member to configure, save and apply any rule and configuration

To enable and configure OWASP Core Ruleset for your project, follow these steps:

1. From your project's dashboard, select the Firewall tab
2. Select the Configure button
3. From the Managed Rulesets section, enable OWASP Core Ruleset
4. You can apply the changes with the OWASP rules enabled by default:
   • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
   • Select Review Changes and review the changes to be applied
   • Select Publish to apply the changes to your production deployment
5. Or select what OWASP rules to enable first by selecting Configure from the OWASP Core Ruleset list item
6. For the OWASP Core Ruleset configuration page, enable or disable the rule that you would like to apply
7. For each enabled rule, select Log or Deny from the action drop-down
   • Use Log first and monitor the live traffic on the Firewall overview page to check that the rule has the desired effect when applied
8. Apply the changes
9. Monitor the live traffic on the Firewall overview page

To enable and configure bot protection for your project, follow these steps:

1. From your project's dashboard, select the Firewall tab.
2. Select the Configure button.
3. From the Bot Management section, select Log or Challenge on the Bot Protection rule to choose what action should be performed when an unwanted bot is identified.
   • When enabled in challenge mode, the Vercel WAF will serve a JavaScript challenge to traffic that is unlikely to be a browser.
4. You can then apply as follows:
   • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
   • Select Review Changes and review the changes to be applied
   • Select Publish to apply the changes to your production deployment

To manage AI bots for your project, follow these steps:

1. From your project's dashboard, select the Firewall tab.
2. Select the Configure button.
3. From the Bot Management section, select Log or Deny on the AI Bots rule to choose what action should be performed when an AI bot is identified.
   • Log: This action records AI bot traffic without blocking it. Its useful for monitoring.
   • Deny: This action blocks all traffic identified as coming from AI bots.
4. You can then apply as follows:
   • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
   • Select Review Changes and review the changes to be applied
   • Select Publish to apply the changes to your production deployment

Sometimes, you may need to allow specific requests that a managed ruleset is blocking. For example, Bot Protection could be blocking a custom user agent that you are using. In this case, use the bypass action in a WAF Custom Rule to target the traffic you want to allow. In the case of the custom user agent, you would use the "User Agent" parameter with a value of the user agent name in the custom rule.

If you need to allow requests being blocked by your own custom rule set up in your project, you can add another custom rule with a bypass action targeting the blocked requests. Make sure that the bypass rule executes before the blocking custom rule by placing it higher in the custom rules section of the Firewall rules page of your project dashboard.

The Vercel WAF executes rules on incoming traffic in the following order:

1. Custom rules set up in the project
2. Managed rulesets configured in the project