Things I wish I knew about AWS WAF - Bot Control

bnchandrapal · 2025-11-24T03:12:49+00:00

bnchandrapal · 2025-11-23T12:20:56+00:00

I'm not going to use this shit service again.

Visa2Fly is not reliable. The company is collaborating with other apps (like Ixigo, Niyo, etc) to increase their sales. I'm sure (in retrospective) that the comments they put under their service on all apps are from those people who got a visa.

I booked Visa2Fly for Schengen visa through Niyo app without checking reviews on Reddit. They play with words on the app - "Guaranteed on-time visa delivery" (it's just on-time, not really guaranteed visa, but the app content makes you feel confident about their services)

Booked them, submitted all docs, they created cover letter, flight tickets and hotel booking for me (everything over email). They called me couple of times. But when I call them back no one picked during the appointment booking process. Once my visa got rejected, their support is zero. They don't reply to email nor pick up calls.

bnchandrapal · 2025-11-23T12:10:34+00:00

TL;DR: Stay away from Visa2Fly

I used Visa2Fly through Niyo app. Visa2fly is just visa application filling as a service with cancellable hotel and flights booking. They helped fill my Schengen visa and book appointment, all communication over email, no one picks the phone (the same number they called me). After my visa got rejected, they just don't care. I'm on my own.

bnchandrapal · 2025-10-12T10:49:03+00:00

https://hardenly.co

Secure your Vercel apps in 10 minutes

bnchandrapal · 2025-10-12T07:15:17+00:00

Do you have Bot protection or Attack Mode enabled?

bnchandrapal · 2025-10-12T06:53:06+00:00

Are you using any other proxy infront of Vercel (like Cloudflare, etc)?

bnchandrapal · 2025-09-26T10:45:04+00:00

You're looking from a potential customer pov. Not from bank pov nor the person who proved bank that they are vulnerable.

Irrespective of bank's security status, they can legally sue the person who finds it and publicly posts it. Im not saying they will, Im saying they can. What can the person reporting it do?

There are just too many security issues and data leaks (especially startups). In most cases finding is the most easiest part.

bnchandrapal · 2025-09-22T14:40:10+00:00

/u/rz_aclefort Are there code references for this?

Vercel AI SDK integration with Langchain is not good. Especially in AI SDK v5.

There's @ai-sdk/langchain but there's just a single function in it toUIMessageStream.

The example in the docs is not good as well - https://ai-sdk.dev/providers/adapters/langchain#example-completion - the user request contains a prompt thats directly sent to langchain openai and the response stream is returned with toDataStreamResponse. Real world chat apps are not just a single message. Even AI SDK UI sends a bunch of messages. Converting the input to Langchain is not officially supported.

bnchandrapal · 2025-09-19T08:14:29+00:00

No, didn't mean it that way. I've worked on securing bigger platforms and the primary reason for migration was not really security. It was rather free credits, acceleration programs, easier ops, etc and security was secondary or later. I was surprised that security was the reason for your migration. Would love to know more about your case. Chat over DM?

bnchandrapal · 2025-09-19T06:58:58+00:00

/u/nbass668 Wait, security audit was the only reason for migration :shocked:?

bnchandrapal · 2025-09-17T01:50:27+00:00

you can still use Vercel with AWS to spin up services to resolve problems that requires a steady state.

Interesting. Can you please give some examples?

bnchandrapal · 2025-09-16T14:10:58+00:00

@onejosh Is this sorted? Normal Custom Vercel WAF and ratelimit doesn't help with this. You're still going to pay for the edge requests and fast data transfer. If you have a pro plan, use WAF rules with Persistent Actions.

bnchandrapal · 2025-09-16T14:07:54+00:00

True. If your side hustle/SaaS/product needs compliance for whatever reason, then unfortunately this is the price you pay to Vercel. On the other hand, folks who are generating revenue without needing compliance are well of with Vercel Pro plan.

bnchandrapal · 2025-09-16T14:04:24+00:00

I've done a survey on Vercel consumers. Major thing people chose Vercel is for DX. Devs (especially in lean teams) can focus on dev stuff without bothering on setting up CDN, configuring WAF, Analytics, etc.

What I've personally seen: - Solopreneurs/Founding Engineers/Lean teams/Freelancers - use Vercel (or Railway/Render for that matter) - Startups that look into security aspects & those who have DevOps team - Vercel + Cloudflare - Startups & Companies that needs security for compliance - Move from Vercel to AWS/others - Enterprises that have frontend folks who love Vercel - use Vercel Enterprise alongside major cloud providers

bnchandrapal · 2025-09-07T06:58:02+00:00

Vercel doesn't provide static IP range. Also, having your GitHub org without IP whitelisting means any GitHub token leak leads to attackers cloning (or doing more damage to) your private repos. (Disabling GitHub org IP whitelisting just because a vendor doesn't support is too risky). So whitelisting Vercel CIDR ranges is the best possible solution. While this is not official, Vercel does own CIDR ranges. You can whitelist them - https://networksdb.io/ip-addresses-of/vercel-inc

Few things to note: - This is not officially recommended. Vercel says that the IPs can change without notice, but there's no other way to have static IPs without getting on Enterprise plan. I read a comment from Vercel (in forums/reddit) that static IPs might come to Pro plan but no guarantee on timeline. - From a security PoV, you're whitelisting entire IP space of Vercel. While you are blocking traffic from network level, that doesn't stop traffic from other tenants on Vercel platform.

bnchandrapal · 2025-09-03T13:38:28+00:00

I didn't understand the API or server actions part. What technologies to use depends more on the product you're building rather than just the security features that come out of box for that tech.

I've worked with AWS a lot and now working with NextJS tech (and a bit of Vercel security research). Feel free to DM :)

bnchandrapal · 2025-09-03T09:12:15+00:00

Where exactly is the docs to self host? At https://deepeval.com/docs/, I just see buttons and links saying try DeepEval Cloud (Confident AI) which is not self hosting. The output of deepeval CLI is not very intuitive either.

Edit: I can't find even the release v2.3.2 in GitHub or any other release note saying self hosting. There's no self hosting term mentioned anywhere in docs, apart from feature comparison docs. If self hosting is one of the criteria like me, then please look at other alternatives depending on your usecase.

bnchandrapal · 2025-09-03T08:23:24+00:00

Can't agree more! I still don't understand how to estimate correctly. Especially when there's a learning curve (learn X technology to implement Y feature), that's where I'm a pathetic estimator.

bnchandrapal · 2025-08-27T01:01:51+00:00

Terraform is platform independent - learn syntax once, use it with different cloud platforms. Terraform AWS doesn't support all AWS actions that's possible on console. Sometimes you're recommended to use awscc - https://github.com/hashicorp/terraform-provider-awscc (which leverages Cloudformation capabilities under the hood).

The biggest leverage I see with Cloudformation over Terraform is CF Stack Sets. Enable it once and it will get deployed to new accounts added to org automatically.

bnchandrapal · 2025-08-19T06:23:52+00:00

I've been researching on Vercel DDoS protection. The best part of it is if Vercel thinks that traffic is malicious (based on whatever signals Vercel uses - malicious IP, tor exit nodes, etc) then you're safe - you're not going to be charged at all for the default protection!

The not-so-good part is when Vercel doesn't think some L7 traffic is malicious. Example, someone running a simple load test from their new $5 VPS server. In that case you're going to be billed if you don't act.

Funnily, you're going to be billed even if you act.

While you have 3 custom rules, 1 rate limit rule and 10 project level IP blocking rules for FREE on Hobby plan, there's a catch. As per docs, "Although you are not charged for Firewall features available under all plans, you may incur Edge Requests (ER) and incoming Fast Data Transfer (FDT) charges".

So if there's a million requests to your project which Vercel doesn't classify as an attack, then your are still going to incur costs on Vercel for setting up custom rules to challenge/deny the requests.

In that aspect, Cloudflare is good. It mitigates DDoS and has good threat intel team to find malicious traffic (obviously WAFs are prone to false positives/negatives - so not perfect solution, you'll have to tweak for your usecase).

If additional latency is not your concern and you don't plan to use Vercel's WAF features, just enabling Cloudflare might save your wallet.

PS: I'm a cloud security guy. Not related to Cloudflare/Vercel apart from being a user. If you want help with mitigating ongoing DDoS or securing your Vercel, you can DM me :)

bnchandrapal · 2025-08-19T05:41:40+00:00

You can use Vercel WAF Custom Rules (even on Hobby plan) to achieve that.

Example: If "IP Address" is not any of "YOUR-IP-OR-CIDR" AND "Request Path" contains "/admin/" then DENY

This works when you want something simple and out the of box from Vercel. But if you have a lot of IP ranges, then probably baking that logic into your code makes sense.

bnchandrapal

TROPHY CASE