I have a Next.js project hosted on Vercel, and I’m running into a big issue: people are scraping my API endpoints and spamming them, causing huge Function Duration usage. As a result, I’m facing a massive bill due to traffic from non-legitimate users.
I’d like to set things up so that these endpoints can only be called from my own website/project and not be publicly accessible to anyone. Is there a recommended way—either via Next.js configuration or Vercel settings—to ensure only my site can call these APIs?
I’d really appreciate any guidance or best practices. This month, my bill skyrocketed to $1000, whereas I usually pay around $40. If someone from the Vercel team can also jump in to help, that would be amazing. I can’t afford these unexpected charges caused by spam traffic.
I quickly tried to enable vercel WAF, but having this “We’re verifying your browser” everytime someone visit my website is not possible.
Do you know if it’s possible to only enable it for the API? (so it’s hidden and users don’t even know there is a verification?
