On December 18, my Vercel deployment experienced a sudden spike in traffic consistent with a DDoS-style attack. A public API route was repeatedly invoked, which internally uses a Contentful Management API token.
At the time, the frontend was running a React version with known vulnerabilities. However, based on Vercel request logs and traffic patterns, the issue appears to be abusive traffic (high-frequency repeated requests to the same API route) rather than exploitation of the React vulnerability itself. As a result, the attack exhausted:
My Vercel Fluid Compute usage
The rate/usage limits associated with the Contentful Management API token
I’m currently on the Vercel free tier and am not able to upgrade to Pro at the moment. I’m trying to understand both why this traffic was allowed through and what protections are available at this tier
Specifically:
Does Vercel provide any DDoS detection or mitigation on the free tier
What best practices are recommended on the free tier to protect API routes that invoke third-party services with strict rate limits (e.g., Contentful Management API)?
Any guidance on preventing similar abuse without upgrading plans would be greatly appreciated
Dealing with these traffic spikes is a challenge, but there are a few key ways to harden your setup.
First, I recommend implementing rate limiting using Upstash Redis and Vercel Edge Middleware. This intercepts malicious requests before they hit your main logic, which is the best way to protect your Contentful API limits and Vercel resources from being exhausted.
Next, focus on request validation and caching. Adding API key authentication and strict CORS headers ensures only legitimate users can trigger expensive third-party calls. You can also use Vercel Edge Config or stale-while-revalidate (SWR) patterns to serve data from the cache, creating a buffer that prevents repetitive attack requests from reaching your backend.
Finally, stay proactive by monitoring your Vercel Analytics to spot unusual patterns early. It’s also important to patch any known React vulnerabilities. Even if they aren’t the primary cause of the DDoS, they can leave your site open to other exploits once it’s targeted.
Hey there, @hmlessons23-7771! Just checking in on your DDoS issue. Have you found a solution, or do you still need help with those traffic spikes? Excited to help!