feat(web): block suspicious SG traffic to reduce Vercel costs

[lui7henrique]

Describe your changes

• Added a shared traffic-guard utility in apps/web/src/lib/traffic-guard.ts.
• Added early traffic blocking in apps/web/src/proxy.ts using country headers (x-vercel-ip-country / cf-ipcountry) and user-agent rules.
• Added the same blocking guard in high-cost API routes:
  • apps/web/src/app/api/proxy/route.ts
  • apps/web/src/app/api/checkout_sessions/route.ts
• Hardcoded SG ('SG') directly in code as blocked traffic country (no env dependency).
• Hardened API abuse protection with a new helper apps/web/src/lib/request-security.ts:
  • same-origin enforcement for sensitive API routes,
  • in-memory per-IP rate limiting (/api/proxy: 60/min, checkout_sessions: 12/min),
  • proper 429 with retry-after.
• Expanded suspicious traffic blocking for scripted/automated user-agents and missing user-agent requests.
• Allowed known crawlers in page middleware to preserve social/SEO preview behavior.

Issue ticket number and link

• N/A

Checklist before requesting a review

• I have performed a self-review of my code
• If it's an essential feature, I've tested it thoroughly.
• Do we need to implement analytics?
• Will this be part of a product update? If yes, please write one phrase about this update.

  

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
plotwist	Ready	Preview, Comment	Apr 20, 2026 3:42am