Blocked by "react_ruleset"? Persistent 403 on Browser but cURL works

The Issue

I am seeing a persistent 403 Forbidden on my specific Mac (Chrome/Safari) when hitting my API (POST /api/images), causing my frontend to crash with invalid JSON errors.

The Firewall Log: When I check the Vercel Firewall, I see a high volume of “Denied” requests appearing under a filter/rule named react_ruleset (see attached screenshot).

The Discrepancy (Browser vs. Terminal)

The strange part is that cURL works fine from the exact same machine:

• Browser (Mac): Returns 403 Forbidden (Blocked by Firewall).
• Terminal (Mac): curl -I -X POST ... Returns 401 Unauthorized (Passed Firewall, reached app).

Steps Taken

1. Whitelisted my public IPv4 in “System Bypass Rules”.
2. Disabled iCloud Private Relay & limit IP tracking.
3. Cleared Cache / Used Incognito.
4. Confirmed iPhone on same Wi-Fi works fine.

Question: What exactly is react_ruleset? Why is it hard-blocking my browser’s specific TLS fingerprint/User Agent while allowing cURL requests from the same IP? And how to allow my device which is my own IP not network attacking. Thank you for any directions

Screenshot 2025-12-26 at 9.58.46 AM1878×1358 211 KB

Screenshot 2025-12-26 at 9.57.03 AM908×348 27.2 KB

This also happens to me when I am upload larger file, around more that 5MB. Really annoying error, also I cannot really find what rules this ruleset contains. Does anyone know this information?

@nothumbee There is a hard limit on file uploads of 4.5MB which is probably what you’re hitting instead Limits

@lihaoz-barry Are you still facing this? Sorry for the slow reply, just getting back after holidays

@lihaoz-barry Just checking in on your issue with the 403 Forbidden error related to the react_ruleset. Have you found a solution, or do you still need assistance troubleshooting the problem? Let me know if that helps!