VercelVercel

Challenge cookie-less requests on a specific path

Learn how to challenge specific requests with the Vercel WAF API.

DX Team
Knowledge Base/Security
2 min read
Last updated November 10, 2025

In the following example, we send a PATCH request to the Update Firewall Configuration endpoint of the Vercel REST API security group. This request creates a new rule in your project's WAF configuration.

Both the conditionGroup and action body parameters are required fields

This strategy helps you prevent unauthorized access to sensitive information on specific paths of your web application, and protect against Cross-Site Request Forgery (CSRF) attacks.

To enable this on your Vercel project, create a custom rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';


  const body = JSON.stringify({
    action: 'rules.insert',
    id: null,
    value: {
      active:
        true /** Whether this rule is enabled or not in your Vercel WAF configuration */,
      name: 'Challenge Cookieless requests',
      description: 'Challenge all traffic without session cookies on a specific path',
      conditionGroup: [
        {
          conditions: [ /** Both conditions need to be true */
            {
              op: 'pre' /** Operator used to compare - pre equivalent to "Starts with" */,
              type: 'path' /** Parameter from incoming traffic */,
              value: '/api',
            },
            {
              neg: true, /** Perform negative match */
              op: "ex", /** Operator used to compare - ex equivalent to "Does not contain" */,
              type: 'cookie' /** Parameter from incoming traffic */,
              value: '_session',
            },
          ],
        },
      ],
      action: {
        mitigate: {
          action: 'challenge',
          rateLimit: null,
          redirect: null,
          actionDuration: null,
        },
      },
    },
  });


  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });


  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }


  return Response.json({ status: 'New rule added to Firewall' });
}

Was this helpful?

supported.

Read related documentation

Explore more Firewall API guides