Blocked HappyDOM, but requests still marked as Allowed

Hi everyone,

Over the past few days, I’ve been noticing a consistent number of requests (40–60 per day) coming from a user agent like:

Mozilla/5.0 (X11; Linux x64) AppleWebKit/537.36 (KHTML, like Gecko) HappyDOM/0.0.0


From what I understand, this is likely a headless DOM emulator (HappyDOM), used for scraping or automated testing.

Here’s what I’ve tried so far:

  1. Created a Firewall rule that matches the User-Agent containing “HappyDOM” and set it to Deny – but I kept seeing new requests marked as Allowed.
  2. Tried again with a different rule using a partial User-Agent match and Deny – no effect.
  3. Most recently, I added a rule using JA4 Digest, matching the fingerprint of these requests and also set it to Deny – but I’m still seeing requests from the same User-Agent in my logs, with status “Allowed”.

So far, nothing seems to stop these requests from going through.

My questions:

  • Is there a reason why these requests still appear as Allowed even after being matched by Deny rules?
  • How can I ensure that these requests are fully denied and do not hit my site at all?

For context, my site is a mostly static Next.js project using SSG (static site generation). The only dynamic part is a single API route that handles search queries. I’m hosting it on Vercel (Hobby plan) with a custom domain. The site hasn’t been submitted to Google or any search engines, so I wasn’t expecting any crawler or bot activity at this stage. That’s why these repeated HappyDOM requests are concerning.

Thanks in advance for any help!

Hi,

Mozilla/5.0 (X11; Linux x64) AppleWebKit/537.36 (KHTML, like Gecko) HappyDOM/0.0.0 is an User-Agent not JA4 digest, so you need to set the Rule accordingly

Thanks for the reply!

Just to clarify — I did create a User-Agent rule containing “HappyDOM” and set it to Deny, but the requests still appeared as Allowed in the logs.

That’s why I also tried a JA4 Digest rule afterward, but the result was the same.

Is there something I might be missing in the User-Agent rule setup?

Can you share the project link? Ja4 digest is a different value so it won’t work with User Agent:

Sure, here’s the link: https://www.phrase-explorer.com/

I cannot see any rule set for HappyDOM UA? https://vercel.com/viacheslavs-projects-b8ed749d/phrase-explorer/firewall/configure

I had a JA4 Digest rule earlier but removed it after your clarification.

I haven’t re-added the User-Agent rule yet, because when I previously tried blocking by HappyDOM in the User-Agent string, the requests were still marked as Allowed.

It should work, let me know if it doesn’t

Thanks! I’ll create a User-Agent blocking rule for HappyDOM now and will check the logs tomorrow or in the next couple of days.

I’ll follow up once I see whether the requests are still coming through.

Sure thing! :slight_smile: Let us know how it oes.

1 Like

Hi again,

It’s been two days since I added a User-Agent blocking rule, but I’m still seeing requests with the HappyDOM user-agent marked as Allowed in the Firewall logs.

Can you try blocking using t13d591000_a33745022dd6_1f22a2ca17c4 JA4 digest and let us know how it goes?

I’ve added a JA4 Digest rule to deny the HappyDOM fingerprint. I’ll monitor it for a day or two and follow up with results.

1 Like

Hi Swarnava,

Thanks a lot for the help!

The issue seems to be resolved for now — I haven’t seen any new HappyDOM requests.
The deny rule I set up ended up blocking some internal Vercel services like vercel-favicon/1.0, which was unexpected.

I’m going to remove that rule to avoid affecting Vercel’s own traffic and will keep monitoring.

Thanks again for your support!

1 Like

Glad to hear that it’s resolved now. You’re very welcome!

I really don’t know how it’s possible, but I see HappyDOM requests in the Firewall logs again.

I created a rule specifically to block HappyDOM via JA4 Digest, while making sure to exclude vercel-favicon/1.0, since they both (for some reason) share the exact same JA4 fingerprint.

Previously, when I blocked this JA4 directly (t13d591000_a33745022dd6_1f22a2ca17c4), it ended up blocking vercel-favicon/1.0 as well — which I didn’t want. So I adjusted the rule to look like this:

IF
JA4 Digest == t13d591000_a33745022dd6_1f22a2ca17c4
AND
User-Agent != vercel-favicon/1.0
AND
User-Agent CONTAINS HappyDOM
THEN
Deny

It seemed to work at first, but now I’m seeing HappyDOM requests with that same JA4 Digest showing up again in the logs.

Not sure if the rule isn’t being applied correctly, or if something else is going on.

I’ll attach screenshots of the rule and the recent requests from HappyDOM.

Would appreciate any help or clarification :neutral_face: