Vercel has stopped charging for CDN requests and Fast Data Transfer on any traffic blocked, challenged, or rate-limited by its Web Application Firewall. The waiver applies automatically to all projects using Vercel Firewall, no configuration required.
The WAF, already bundled into CDN costs, handles custom rules, managed rules, and rate limiting for non-DDoS bad traffic. Previously, a credential-stuffing botnet hitting a login route or a scraper hammering product pages could generate real bandwidth charges even though Vercel's infrastructure was the one absorbing the attack. That billing gap is now closed.
The changelog entry is brief, but worth reading for the specific scope of what counts as mitigated traffic and how WAF rules interact with existing DDoS protections. If you run anything public-facing on Vercel, understanding the boundary between free DDoS mitigation and WAF-covered traffic is worth five minutes of your time.
[READ ORIGINAL →]