You can now control Vercel’s Web Application Firewall (WAF) actions directly in vercel.json , alongside existing support in the dashboard, API, and terraform. This approach provides a structured way for both developers and agents to declaratively define and push rules to projects. Agents can use code-generating prompts to author new rules that are easily injected into the project’s vercel.json. The has and missing matchers have also been enhanced to support more expressive conditions across headers, rewrites, redirects, and routes. Matching options include: String equality and inequality Regular expressions Prefixes and suffixes Inclusion and exclusion from string arrays Numeric comparisons The following example shows how to deny a request that is prefixed by a specific header: { "$schema" : "https://openapi.vercel.sh/vercel.json" , "routes" : [ { "src" : "/(.*)" , "has" : [ { "type" : "header" , "key" : { "pre" : "x-bad-header-" } } ] , "mitigate" : { "action" : "deny" } } ] } Read more about Vercel's WAF…