March 06, 20267 min read
Update, May 2026: Doorman 2.0 is out with Cloudflare WAF support and a new multi-provider config format. Read the 2.0 release post for what’s new.
When managing multiple Vercel projects, keeping firewall rules consistent and version-controlled becomes a real challenge. That’s why I built Vercel Doorman – a CLI tool that brings Infrastructure as Code principles to Vercel’s firewall management.
The Problem
Vercel’s firewall is powerful, but managing rules through the dashboard has limitations:
- No version control for security configurations
- Manual rule management across multiple projects
- Difficult to maintain consistency between environments
- No way to automate firewall deployments in CI/CD pipelines
The Solution
Vercel Doorman transforms firewall management into a code-first workflow. Instead of clicking through dashboards, you define your security rules in a JSON configuration file:
{
"$schema": "https://doorman.griffen.codes/schema.json",
"projectId": "prj_example",
"rules": [
{
"name": "Block Bad Bots",
"description": "Block known malicious user agents",
"conditionGroup": [
{
"conditions": [
{
"type": "user_agent",
"op": "inc",
"value": ["BadBot", "Scraper", "Crawler"]
}
]
}
],
"action": {
"mitigate": {
"action": "deny"
}
},
"active": true
}
]
}
Key Features I Built In
Template System
Rather than starting from scratch, Doorman includes pre-built templates for common security patterns:
- AI bot blocking
- WordPress vulnerability protection
- OFAC sanctions compliance
- Bad bot detection
Bidirectional Sync
The tool works both ways – you can sync local configs to Vercel, or download existing rules from Vercel to start managing them as code.
Validation & Safety
Built-in Zod schema validation prevents deployment of invalid configurations. The tool also includes dry-run modes and confirmation prompts for destructive operations.
CI/CD Ready
Environment variable support and programmatic interfaces make it perfect for automated deployments:
Bash
# In your CI pipeline
vercel-doorman sync --token $VERCEL_TOKENTechnical Architecture
I built Doorman with TypeScript and a clean service layer architecture:
- Commands: Each CLI command is a separate module (list, sync, download, validate, template)
- Services: Core business logic separated into FirewallService and VercelClient
- Schemas: Zod schemas provide both runtime validation and TypeScript types
- Templates: Extensible template system for common rule patterns
The build system uses tsup for fast bundling to both CommonJS and ESM, making it compatible across different Node.js environments.
Real-World Impact
Since publishing Doorman, I’ve seen teams adopt it for:
- Compliance: Maintaining consistent security policies across environments
- Automation: Integrating firewall updates into deployment pipelines
- Collaboration: Code reviews for security rule changes
- Documentation: Self-documenting security configurations
What’s Next
I’m continuing to expand the template library and exploring integrations with other security tools. The goal is making Vercel firewall management as seamless as any other infrastructure component. Doorman 2.0 took a big step in that direction – Cloudflare WAF is now a first-class provider alongside Vercel.
If you’re managing Vercel projects and want to level up your security workflow, give Vercel Doorman a try:
Bash
npm install vercel-doormanThe full source code is available on GitHub, and I’d love to hear how you’re using it in your projects.
Vercel Doorman is open source and available on npm. Check out the documentation to get started.
Keep Reading
Discussion
Have thoughts? Drop them in.
Comments are powered by Disqus. Sign in once, comment anywhere.
Loading comments…