Skip to content
VercelVercel
'; user_status_content.firstChild.appendChild(avatarContainer); } else { // Placeholder for LoggedOutUserMenu let loggedOutContainer = document.createElement('div'); // if LoggedOutUserMenu fallback let userBtn = document.createElement('button'); userBtn.style.width = "33px"; userBtn.style.height = "33px"; userBtn.style.display = "flex"; userBtn.style.alignItems = "center"; userBtn.style.justifyContent = "center"; userBtn.style.color = "var(--ds-gray-900)"; userBtn.style.border = "1px solid var(--ds-gray-300)"; userBtn.style.borderRadius = "100%"; userBtn.style.cursor = "pointer"; userBtn.style.background = "transparent"; userBtn.style.padding = "0"; // user icon ( from geist) let svg = document.createElementNS('http://www.w3.org/2000/svg', 'svg'); svg.setAttribute('data-testid', 'geist-icon'); svg.setAttribute('height', '16'); svg.setAttribute('stroke-linejoin', 'round'); svg.setAttribute('style', 'color:currentColor'); svg.setAttribute('viewBox', '0 0 16 16'); svg.setAttribute('width', '16'); let path = document.createElementNS('http://www.w3.org/2000/svg', 'path'); path.setAttribute('fill-rule', 'evenodd'); path.setAttribute('clip-rule', 'evenodd'); path.setAttribute('d', 'M7.75 0C5.95507 0 4.5 1.45507 4.5 3.25V3.75C4.5 5.54493 5.95507 7 7.75 7H8.25C10.0449 7 11.5 5.54493 11.5 3.75V3.25C11.5 1.45507 10.0449 0 8.25 0H7.75ZM6 3.25C6 2.2835 6.7835 1.5 7.75 1.5H8.25C9.2165 1.5 10 2.2835 10 3.25V3.75C10 4.7165 9.2165 5.5 8.25 5.5H7.75C6.7835 5.5 6 4.7165 6 3.75V3.25ZM2.5 14.5V13.1709C3.31958 11.5377 4.99308 10.5 6.82945 10.5H9.17055C11.0069 10.5 12.6804 11.5377 13.5 13.1709V14.5H2.5ZM6.82945 9C4.35483 9 2.10604 10.4388 1.06903 12.6857L1 12.8353V13V15.25V16H1.75H14.25H15V15.25V13V12.8353L14.931 12.6857C13.894 10.4388 11.6452 9 9.17055 9H6.82945Z'); path.setAttribute('fill', 'currentColor'); svg.appendChild(path); userBtn.appendChild(svg); loggedOutContainer.appendChild(userBtn); loggedOutContainer.style.display = 'flex'; loggedOutContainer.style.gap = '8px'; loggedOutContainer.style.alignItems = 'center'; user_status_content.firstChild.appendChild(loggedOutContainer); } })();
Security

CDN security

Last updated March 5, 2026

Vercel's CDN applies multiple layers of security to every incoming request before it reaches your application. Encryption, firewall protection, and DDoS mitigation all happen at the CDN level, so your deployments are protected by default.

Encryption and TLS

Vercel serves every deployment over HTTPS and automatically provisions SSL certificates for all deployment URLs and custom domains. The CDN forwards HTTP requests to HTTPS with a 308 status code.

The CDN supports TLS 1.2 and TLS 1.3 with strong cipher suites that provide forward secrecy. TLS session resumption reduces Time to First Byte (TTFB) for returning visitors, and OCSP stapling speeds up certificate validation for first-time visitors.

Vercel also supports post-quantum cryptography through the X25519MLKEM768 key exchange mechanism. This protects your deployments against future quantum computing attacks in Chrome 131+, Firefox 132+, and Safari 26+.

Supported protocols

The CDN negotiates the following protocols through ALPN:

Firewall protection

The Vercel Firewall inspects every request as it arrives at the CDN, before it reaches your application. It operates in three layers: platform-wide firewall, Web Application Firewall (WAF), and bot management.

Platform-wide firewall

All Vercel customers get an enterprise-grade firewall at no cost. It runs automatically and includes DDoS mitigation and protection against low-quality traffic. You don't need to configure anything.

Web Application Firewall (WAF)

You can configure custom rules, managed rulesets, and traffic challenges at the project level. The WAF lets you block, challenge, or log requests based on IP, path, headers, geographic location, and other attributes.

Bot management

Vercel classifies incoming traffic to separate legitimate bots from automated threats. You can challenge non-browser traffic, control AI crawlers, and allow verified bots like search engines to pass through unchallenged.

Security headers

You can configure HTTP security headers to protect visitors from common web vulnerabilities. Vercel applies HSTS automatically on .vercel.app domains and custom domains.

Headers you can configure:

  • Content-Security-Policy (CSP): Restrict which sources can load scripts, images, and other resources to prevent cross-site scripting (XSS).

  • Strict-Transport-Security (HSTS): Tell browsers to always connect over HTTPS.

  • X-Frame-Options: Prevent your pages from being embedded in iframes to block clickjacking.

  • X-Content-Type-Options: Stop browsers from MIME-type sniffing responses.

  • Security headers

HSTS

The .vercel.app domain and all subdomains support HSTS by default and are preloaded in browser HSTS lists. Custom domains also use HSTS. You can modify the Strict-Transport-Security header in your project's response headers configuration.

Previous
Routing
Next
Encryption & TLS

Was this helpful?

supported.