Vercel adds natural language interface for WAF custom rules

Vercel has launched a natural language interface for generating WAF custom rules, allowing developers to describe security policies in plain English and have them translated into rule logic [Vercel Blog].

── What shipped ──

Developers can now create WAF rules by typing natural language prompts into the Firewall dashboard. For example, entering "Log all requests to /api/webhook with a missing authorization header" generates a rule that matches the condition and applies the log action [Vercel Blog].

The system supports common WAF actions: block, challenge, rate limit, redirect, and log. Conditions based on IP address, country, path, user agent, and HTTP headers are all supported. Vercel uses an internal LLM-powered parser to convert the input into rule syntax, validated against the same engine used for manually authored rules.

The feature is available today in the WAF custom rules dashboard, with no additional cost for existing customers.

── Why it matters ──

One — configuration velocity increases for non-experts. Writing correct WAF rules today requires understanding of syntax, precedence, and edge cases in pattern matching. With natural language entry, junior engineers or developers unfamiliar with security tooling can enforce basic policies without waiting for review from security specialists.

Two — error surface shifts from syntax to intent. Misconfigurations will now stem from ambiguous descriptions (e.g., "block bad bots") rather than malformed expressions. This moves the failure mode into prompt clarity, a different skillset than traditional rule authoring.

Three — Vercel tightens its developer-first positioning. While AWS WAF and Cloudflare require either JSON, CLI, or form-filling for rule creation, Vercel’s approach aligns with its broader UX philosophy: reduce friction for common tasks. This lowers the activation energy for securing endpoints during rapid iteration.

── Editor's take ──

Natural language WAF rules are a net win for velocity, but they risk creating a false sense of security. A rule that sounds correct in English may still miss edge cases or fail under load. The real test will be whether Vercel adds explainability — showing the generated logic and offering editability — to maintain transparency without sacrificing ease of use.