CDN security

Vercel's CDN applies multiple layers of security to every incoming request before it reaches your application. Encryption, firewall protection, and DDoS mitigation all happen at the CDN level, so your deployments are protected by default.

Vercel serves every deployment over HTTPS and automatically provisions SSL certificates for all deployment URLs and custom domains. The CDN forwards HTTP requests to HTTPS with a 308 status code.

The CDN supports TLS 1.2 and TLS 1.3 with strong cipher suites that provide forward secrecy. TLS session resumption reduces Time to First Byte (TTFB) for returning visitors, and OCSP stapling speeds up certificate validation for first-time visitors.

Vercel also supports post-quantum cryptography through the X25519MLKEM768 key exchange mechanism. This protects your deployments against future quantum computing attacks in Chrome 131+, Firefox 132+, and Safari 26+.

• Encryption & TLS details

The CDN negotiates the following protocols through ALPN:

• HTTPS
• HTTP/1.1
• HTTP/2

The Vercel Firewall inspects every request as it arrives at the CDN, before it reaches your application. It operates in three layers: platform-wide firewall, Web Application Firewall (WAF), and bot management.

All Vercel customers get an enterprise-grade firewall at no cost. It runs automatically and includes DDoS mitigation and protection against low-quality traffic. You don't need to configure anything.

• DDoS mitigation

You can configure custom rules, managed rulesets, and traffic challenges at the project level. The WAF lets you block, challenge, or log requests based on IP, path, headers, geographic location, and other attributes.

• WAF overview
• Custom rules
• Managed rulesets

Vercel classifies incoming traffic to separate legitimate bots from automated threats. You can challenge non-browser traffic, control AI crawlers, and allow verified bots like search engines to pass through unchallenged.

• Bot management
• Firewall observability

You can configure HTTP security headers to protect visitors from common web vulnerabilities. Vercel applies HSTS automatically on .vercel.app domains and custom domains.

Headers you can configure:

• Content-Security-Policy (CSP): Restrict which sources can load scripts, images, and other resources to prevent cross-site scripting (XSS).

• Strict-Transport-Security (HSTS): Tell browsers to always connect over HTTPS.

• X-Frame-Options: Prevent your pages from being embedded in iframes to block clickjacking.

• X-Content-Type-Options: Stop browsers from MIME-type sniffing responses.

• Security headers

The .vercel.app domain and all subdomains support HSTS by default and are preloaded in browser HSTS lists. Custom domains also use HSTS. You can modify the Strict-Transport-Security header in your project's response headers configuration.

• HSTS details