Boost Your JavaScript App Security with Custom Regex Rules in Vercel’s Firewall

Protecting your JavaScript applications from scanners and malicious traffic is crucial in today’s cybersecurity landscape. One effective way to enhance your security measures is by utilizing Vercel’s Firewall with custom regex rules. This article will guide you through the process of adding a specific regex to Vercel’s Firewall, aimed at blocking common malicious requests and protecting sensitive files. Additionally, implementing this rule can help reduce costs and the number of requests Vercel bills you for, by cutting down on unnecessary scanner activity.

The Importance of Firewall Rules

Firewalls serve as a critical line of defense, filtering incoming and outgoing traffic based on predefined security rules. By configuring custom regex patterns, you can tailor the firewall’s behavior to match your application’s unique requirements. This approach helps prevent unauthorized access, protect sensitive data, and mitigate various attack vectors.

Understanding the Regex Pattern

Before we dive into the implementation, let’s break down the regex pattern used in this guide:

\/(?:\.ssh\/)?id_(?:d|r)sa|\/wp-admin|\/wp-includes|\/wp-config(?:\.php)?|\/wp-content|\/config\.json|test\.txt|CVS|database(?:s)?\.yml|sftp-config.json|\/composer\.json|(?:^|\/)\.(?!well-known\/).*$|\/(?!sitemap\.xml$).*\.xml$|\.(php\d?|phtml|ini|key|cache|sqlite|db|pem|lock)(?:$|\?)

1. SSH Keys: \/(?:\.ssh\/)?id_(?:d|r)sa
   - Blocks access to SSH key files, including both id_dsa and id_rsa.
2. WordPress Files and Directories:
   - \/wp-admin: Blocks the WordPress admin directory.
   - \/wp-includes: Blocks the WordPress includes directory.
   - \/wp-config(?:\.php)?: Blocks the WordPress configuration file.
   - \/wp-content: Blocks the WordPress content directory.
3. Configuration Files:
   - \/config\.json: Blocks JSON configuration files.
   - database(?:s)?\.yml: Blocks YAML database configuration files.
   - sftp-config.json: Blocks SFTP configuration files.
   - \/composer\.json: Blocks Composer configuration files.
4. Common Test and Backup Files:
   - test\.txt: Blocks test text files.
   - CVS: Blocks CVS directories.
5. Dot Files (excluding .well-known):
   - (?:^|\/)\.(?!well-known\/).*$: Blocks all dot files, except those in the .well-known directory.
6. Exclude sitemap.xml:
   - |\/(?!sitemap\.xml$).*\.xml$ : Excludes sitemap.xml file for SEO purposes.
7. Sensitive File Extensions:
   - \.(?:php\d?|phtml|ini|xml|key|cache|sqlite|db|xsd|pem|lock)(?:$|\?): Blocks files with extensions commonly associated with configuration, databases, and sensitive information.

Implementing the Regex in Vercel’s Firewall

Step 1: Access Your Vercel Dashboard

First, log in to your Vercel account and navigate to the project for which you want to configure the firewall rules.

Step 2: Configure Firewall Rules

1. Open “Firewall” Tab on project’s submenu.
2. Click “Configure” button on top.
3. Click white “+ New Rule” button.
4. Provide a name of choice for new rule.
5. In configuration schema, please select Request Path, Matches expression and paste above regex rule.
6. In “Then” section select “Deny” action.

Vercel Firewall rule configuration example

Step 3: Save and deploy

Now you need to save your new rule, and push changes you have made.

Vercel Firewall changes review button

1. On top of page you will notice “Review Changes” button. Click it.
2. An Review modal will show up. Please use “Publish” button to push your changes to firewall.

Vercel Firewall changes review modal and publish button

Benefits of Implementing This Regex Rule

Enhanced Security

By blocking requests to sensitive files and directories, you reduce the risk of unauthorized access and data breaches. This regex pattern specifically targets common files and paths that are frequently targeted by malicious scanners and bots.

Cost Savings

One of the significant benefits of implementing this regex rule is the potential cost savings. Scanners and bots can generate a substantial amount of traffic, which Vercel bills based on the number of requests. By blocking these unnecessary requests at the firewall level, you can significantly reduce the number of billable requests, thereby cutting costs.

Testing the Firewall Rule

To ensure that the firewall rule is working correctly, you can test it by attempting to access URLs that match the blocked patterns. For example, try accessing /wp-admin, /config/database.yml, or /composer.json. These requests should be blocked, returning a 403 Forbidden status or a Vercel’s error page.

Vercel Firewall example /wp-admin rule

Summary

By implementing custom regex rules in Vercel’s Firewall, you can significantly enhance the security of your JavaScript applications. This specific regex pattern helps protect against common malicious requests and unauthorized access to sensitive files, providing an additional layer of defense. Additionally, reducing the number of unnecessary scanner requests can help cut costs and improve application performance. Regularly updating and refining your firewall rules will ensure continued protection against evolving threats.

Remember, security is a continuous process. Stay informed about the latest vulnerabilities and best practices to keep your applications safe and secure.