I would like to block all incoming POST requests based on a specific JSON value in the request body. For example, I want to block any requests where the userId is set to 123 in the request body.
From my understanding after reviewing your documentation (Vercel WAF rule configuration), it seems that blocking requests based on HTTP request body fields isn’t currently supported.
Having this functionality would allow me to block certain requests before they reach the serverless function. Currently, I’m handling these cases with an early return within the function itself. However, each invocation still takes about 5ms, and with a high volume of such requests, this adds up. Being able to block these requests at the WAF level would improve performance and reduce unnecessary processing.
Are there any plans to add this capability in the future? Or, if there are any workarounds or alternative methods to accomplish this, I would greatly appreciate any guidance.
Hi there, great question! I don’t know if there are plans to add this capability in the future, but there are a few good reasons why we don’t have it today:
First, the structure of an HTTP request is important to how most firewalls work (in general, not just Vercel’s). The headers come before the body so they can be quickly parsed and the request can be dropped as early as possible if needed. The body, on the other hand, can be of arbitrary length and usually requires more resources to analyze.
It’s possible for a firewall to filter on the body, but consider the common case and the effects of filtering on the body. When unwanted requests come through, they first check the headers and drop matches there. Next, every request that has not been dropped will need to have its body analyzed - the most expensive part of the process - meaning that every good request fundamentally incurs that overhead.
I’m simplifying a lot here, but most firewalls work similar to this. There are ways to make filtering on the body more efficient like only inspecting requests below a certain size threshold, but broadly speaking, inspecting the request body is not something you want to do unless there’s a specific reason that you can’t do it another way.
Your best alternative is probably to use middleware for this - it runs before the serverless function, is cheaper, and as a nice bonus, it will keep the logs for your function itself a bit cleaner by filtering out those requests in advance. Keep in mind that the overhead I mentioned earlier still applies - inspecting every request body is going to be expensive. A way to mitigate this would be storing the id in your query params, that way you can read it from the headers
I don’t have an example for exactly what you’re asking, but check out our templates - one of these should give you enough info to get started: Find your Template – Vercel
