The Vercel Web Application Firewall (WAF) is now launching a new managed ruleset called Bot Filter, free for all users on all plans. This feature provides better controls to fine-tune application security and protect against bot attacks such as cross-site scripting, traversal, and application DDoS attacks. The Bot Filter uses a heuristics-based detection approach that distinguishes between browser-based traffic (human) or non-browser based (likely bot) traffic with zero configuration needed. It allows requests from real browsers and verified bots to pass through while issuing challenges to non-browser clients like `curl` or unwanted scrapers. The feature ties directly into the WAF, maintaining a list of verified bots to ensure authenticity and reduce maintenance overhead. Bot Filter is ideal for legitimate services like AI and SEO bots or when expecting mostly human traffic, continuously challenging non-browser traffic to improve app performance and optimize resource usage for real customers.