Managing microfrontends security
Microfrontends are available in Limited Beta to Enterprise plans
Understand how and where you manage Deployment Protection and Vercel Firewall for each microfrontend application.
For requests to a microfrontend host (a domain belonging to the microfrontend default application):
- Requests are only verified by the Deployment Protection settings for the project of your default application
For requests directly to a child application (a domain belonging to a child microfrontend):
- Requests are only verified by the Deployment Protection settings for the project of the child application
This applies to all Protection Methods and Bypass Methods, including:
- Vercel Authentication
- Password Protection
- Trusted IPs
- Shareable Links
- Protection Bypass for Automation
- Deployment Protection Exceptions
- OPTIONS Allowlist.
Use the Deployment Protection settings for the project of the default application for the group.
- The Platform-wide firewall is applied to all requests.
- The customizable Web Application Firewall (WAF) from the default application and the corresponding child application is applied for a request.
For requests to a microfrontend host (a domain belonging to the microfrontend default application):
- All requests are verified by the Vercel WAF for the project of your default application
- Requests to child applications are additionally verified by the Vercel WAF for their project
For requests directly to a child application (a domain belonging to a child microfrontend):
- Requests are only verified by the Vercel WAF for the project of the child application.
This applies for the entire Vercel WAF, including Custom Rules, IP Blocking, Managed Rulesets, and Attack Challenge Mode.
-
To set a WAF rule that applies to all requests to a microfrontend, use the Vercel WAF for your default application.
-
To set a WAF rule that applies only to requests to paths of a child application, use the Vercel WAF for the child project.
Was this helpful?