Skip to content
VercelVercel
'; user_status_content.firstChild.appendChild(avatarContainer); } else { // Placeholder for LoggedOutUserMenu let loggedOutContainer = document.createElement('div'); // if LoggedOutUserMenu fallback let userBtn = document.createElement('button'); userBtn.style.width = "33px"; userBtn.style.height = "33px"; userBtn.style.display = "flex"; userBtn.style.alignItems = "center"; userBtn.style.justifyContent = "center"; userBtn.style.color = "var(--ds-gray-900)"; userBtn.style.border = "1px solid var(--ds-gray-300)"; userBtn.style.borderRadius = "100%"; userBtn.style.cursor = "pointer"; userBtn.style.background = "transparent"; userBtn.style.padding = "0"; // user icon ( from geist) let svg = document.createElementNS('http://www.w3.org/2000/svg', 'svg'); svg.setAttribute('data-testid', 'geist-icon'); svg.setAttribute('height', '16'); svg.setAttribute('stroke-linejoin', 'round'); svg.setAttribute('style', 'color:currentColor'); svg.setAttribute('viewBox', '0 0 16 16'); svg.setAttribute('width', '16'); let path = document.createElementNS('http://www.w3.org/2000/svg', 'path'); path.setAttribute('fill-rule', 'evenodd'); path.setAttribute('clip-rule', 'evenodd'); path.setAttribute('d', 'M7.75 0C5.95507 0 4.5 1.45507 4.5 3.25V3.75C4.5 5.54493 5.95507 7 7.75 7H8.25C10.0449 7 11.5 5.54493 11.5 3.75V3.25C11.5 1.45507 10.0449 0 8.25 0H7.75ZM6 3.25C6 2.2835 6.7835 1.5 7.75 1.5H8.25C9.2165 1.5 10 2.2835 10 3.25V3.75C10 4.7165 9.2165 5.5 8.25 5.5H7.75C6.7835 5.5 6 4.7165 6 3.75V3.25ZM2.5 14.5V13.1709C3.31958 11.5377 4.99308 10.5 6.82945 10.5H9.17055C11.0069 10.5 12.6804 11.5377 13.5 13.1709V14.5H2.5ZM6.82945 9C4.35483 9 2.10604 10.4388 1.06903 12.6857L1 12.8353V13V15.25V16H1.75H14.25H15V15.25V13V12.8353L14.931 12.6857C13.894 10.4388 11.6452 9 9.17055 9H6.82945Z'); path.setAttribute('fill', 'currentColor'); svg.appendChild(path); userBtn.appendChild(svg); loggedOutContainer.appendChild(userBtn); loggedOutContainer.style.display = 'flex'; loggedOutContainer.style.gap = '8px'; loggedOutContainer.style.alignItems = 'center'; user_status_content.firstChild.appendChild(loggedOutContainer); } })();
Menu

Managing microfrontends security

Last updated March 26, 2026

Understand how and where you manage Deployment Protection and Vercel Firewall for each microfrontend application.

Deployment Protection and microfrontends

Because each URL is protected by the Deployment Protection settings of the project it belongs to, the deployment protection for the microfrontend experience as a whole is determined by the default application.

For requests to a microfrontend host (a domain belonging to the microfrontend default application):

  • Requests are only verified by the Deployment Protection settings for the project of your default application

For requests directly to a child application (a domain belonging to a child microfrontend):

  • Requests are only verified by the Deployment Protection settings for the project of the child application

This applies to all protection methods and bypass methods, including:

Managing Deployment Protection for your microfrontend

Use the Deployment Protection settings for the project of the default application to control access to the microfrontend.

We recommend the following configuration:

  • Default app: Use Standard Protection so that end users can access the microfrontend through the default app's URL.
  • Child apps: Enable protection for all deployments so that child apps are not directly accessible. Since child app content is served through the default app's URL, child apps can only be accessed via the URL of the default project.

This works because Vercel handles routing to child apps within a single request at the network layer — as explained in Path Routing — it is not a rewrite that would result in a separate request to the child app's URL. Deployment protection on the child app therefore applies only when the child app's URL is accessed directly.

Vercel Firewall and microfrontends

Vercel WAF and microfrontends

For requests to a microfrontend host (a domain belonging to the microfrontend default application):

  • All requests are verified by the Vercel WAF for the project of your default application
  • Requests to child applications are additionally verified by the Vercel WAF for their project

For requests directly to a child application (a domain belonging to a child microfrontend):

  • Requests are only verified by the Vercel WAF for the project of the child application.

This applies for the entire Vercel WAF, including Custom Rules, IP Blocking, WAF Managed Rulesets, and Attack Challenge Mode.

Managing the Vercel WAF for your microfrontend

  • To set a WAF rule that applies to all requests to a microfrontend, use the Vercel WAF for your default application.

  • To set a WAF rule that applies only to requests to paths of a child application, use the Vercel WAF for the child project.

Was this helpful?

supported.