Hello Vercel Support,
I am currently experiencing a critical issue with Vercel’s DDoS/Bot mitigation system affecting my deployments.
Issue:
Legitimate API requests are consistently being blocked with HTTP 403 responses, even under minimal load conditions.
Technical context:
-
Environment: Vercel Serverless Functions
-
Traffic pattern: very low (1–2 requests, no bursts or concurrency)
-
Requests include standard headers (User-Agent, Accept, etc.)
-
Endpoint performs a simple fetch to a static JSON file hosted on Cloudflare R2
-
No custom security middleware or unusual logic
Observed behavior:
-
Requests appear to be blocked at the Edge layer before reaching the function
-
Project-level firewall/allow rules are not applied
-
The issue started recently without code changes
Hypothesis:
False positive triggered by Vercel’s DDoS/Bot detection at the Edge network level
Impact:
-
APIs are effectively unusable
-
Web applications cannot operate reliably
-
Even minimal request patterns are blocked
Questions / Requests:
-
Could you verify whether my project or IP has been incorrectly flagged?
-
Have there been recent changes to DDoS/Bot mitigation policies?
-
Is it possible to reduce sensitivity or apply an allowlist for my project?
-
Can you provide insight into why these requests are classified as malicious?
This issue is currently blocking my ability to use the platform.
Thank you for your assistance.
Best regards