Bot management, fully integrated.

Stop volumetric attacks, logic abuse, automation, and targeted bots with a multi-layered Bot Management system.

Manage real-time app traffic

Implement your own protections with custom rules, managed rulesets, and Vercel BotID, all from a single firewall dashboard with live traffic insights.

Layered defenses for different kinds of threats.

DDoS Protection

Protect uptime and control infrastructure cost by filtering high-volume request floods.

Web Application Firewall

Apply custom rules to implement business logic and stop credential stuffing, malformed requests, and vulnerable routes.

Bot Protection

Catch non-browser agents, spoofed headers, and simple replay attacks.

DDoS Mitigation.

Automatically mitigate Layer 3, DDoS, and other high-volume attacks before they reach your applications.

Custom rules.

Use the WAF's UI or API to define custom business logic and precisely control traffic.

Managed rulesets.

Mitigate the most critical risks, like OWASP Top 10, using predefined advanced rulesets.

Attack Challenge Mode.

Browser checks help ensure that only legitimate users can access your application during an attack.

Know who’s crawling your site

The bots.fyi directory is a public list of verified bots maintained by Vercel. It’s continuously updated to reflect new services, helping you stay informed and make better decisions about which automated traffic to allow.

See the bot directory

Stop attacks before they reach your app and critical endpoints.

Stop volumetric attacks

Vercel Firewall filters billions of requests per week across TCP and HTTP layers by default.

Defend in real-time

Blocks L3/L4 and L7 DDoS attacks in real time across the entire platform.

Detection modes

Basic or deep Kasada-powered analysis, easily configurable.

Detect non-browser traffic

Identify and block headless browsers, scripts, and automation tools.

Block unauthorized AI crawlers

Optionally block known AI scrapers and model trainers with one toggle.

Session-level validation

Challenges suspicious sessions or validates traffic invisibly with Vercel BotID.