Hello community, for the past couple days I have been experiencing 403s in my web application deployed via Vercel.
The 403 is also visible in Vercel's Deployment dashboard for my application
After reading a lot, this is what I have tried so far (please note I'm PRO plan
- Added system bypass: my idea was to skip automatic DDoS mitigation by whitelisting my IP Address (and my clients one) that I consider safe. Basically I did this for all the IP Addresses blocked in my country. No luck.
- I paused the System DDoS Mitigation: it's been off for the past 6 hours, yet, I still get blocked by a 403 immediately after clicking on a subdomain of my application
My proyect is currently a Nextjs app that supports multi tenant (subdomains): basically every tenant is a client and there are a couple of shared ones like app. and admin. The main domain is tenio.com.ar
I'm sharing below a couple (of the hundreds I got so far) of the error codes associated to the 403s I'm getting (I'm getting these myself BTW, pretty much everytime in every device and also my clients)
- https://laliga.tenio.com.ar/: ID: gru1::vvwdn-1778453507840-b825b58be531
- https://circuitojb.tenio.com.ar/: ID: gru1::6zzq7-1778453534791-f28a4994e29a
- https://circuitobn.tenio.com.ar/: ID: gru1::n6hsq-1778453559747-c2961ad8a6c0
- https://tenisamigas.tenio.com.ar/: ID: gru1::6zzq7-1778453566178-7ea48b24e7f2
- https://rankingmitre.tenio.com.ar/:ID: gru1::pk4ps-1778453564560-39655a1621b6
These are just a few, I don't get it, this started a couple days ago and I can tell other users reporting this. I Have submitted the issue to support as well but still no response. This is drastically affecting my application and I don't know what to do
I also don’t understand how come if I’m explicitly turning OFF the WAF protection for DDoS I still get the 403s, shouldn’t they at least stop with this ?
Any help is appreciated,
Thanks in advance!
PS: adding some screenshots of my current WAF .. as I said, I don’t understand how/why IP addresses such as 181.165.80.164 is still being blocked with Bypass system rule in place and even with the entire DDoS mitigation turned off
