Encryption and TLS
Every deployment on Vercel is served over an HTTPS connection. Vercel automatically generates SSL certificates for these unique URLs at no cost.
The CDN automatically forwards any HTTP requests to your deployment to HTTPS using the 308 status code:
HTTP/1.1 308 Moved Permanently
Content-Type: text/plain
Location: https://<your-deployment-host>An example showing how all HTTP requests are forwarded to HTTPS.
HTTPS redirection is an industry standard and can't be disabled. This ensures that all web content is served over a secure connection, protecting your users' data and privacy.
If your client needs to establish a WebSocket connection, connect using HTTPS directly. The WSS protocol doesn't support redirects.
Vercel supports TLS version 1.2 and TLS version 1.3.
Vercel supports both Session Identifiers and Session Tickets for TLS session resumption. This improves Time to First Byte (TTFB) for returning visitors.
Vercel staples an OCSP response to each TLS handshake. This lets clients skip the network request to check certificate revocation, improving TTFB for first-time visitors.
To protect data integrity, Vercel only supports strong ciphers with forward secrecy.
Supported cipher algorithms:
TLS_AES_128_GCM_SHA256(TLS 1.3)TLS_AES_256_GCM_SHA384(TLS 1.3)TLS_CHACHA20_POLY1305_SHA256(TLS 1.3)ECDHE-ECDSA-AES128-GCM-SHA256(TLS 1.2)ECDHE-RSA-AES128-GCM-SHA256(TLS 1.2)ECDHE-ECDSA-AES256-GCM-SHA384(TLS 1.2)ECDHE-RSA-AES256-GCM-SHA384(TLS 1.2)ECDHE-ECDSA-CHACHA20-POLY1305(TLS 1.2)ECDHE-RSA-CHACHA20-POLY1305(TLS 1.2)DHE-RSA-AES256-GCM-SHA384(TLS 1.2)
This is the recommended configuration from Mozilla.
Vercel offers the X25519MLKEM768 key exchange mechanism during TLS handshakes to protect your deployments against future quantum computing attacks. Your browser negotiates this mechanism automatically if you use:
- Chrome 131 and above
- Firefox 132 and above
- Safari 26 and above
The .vercel.app domain (and therefore all of its sub domains, which are the unique URLs set when creating a deployment) support HSTS automatically and are preloaded.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload;The default Strict-Transport-Security header for *.vercel.app
Custom domains use HSTS, but only for the particular subdomain.
Strict-Transport-Security: max-age=63072000;The default Strict-Transport-Security header for custom domains
You can modify the Strict-Transport-Security header by configuring custom response headers in your project.
You can set the max-age parameter to a different value. It controls how long the client remembers that your site is HTTPS-only. Since Vercel doesn't allow HTTP connections, there's no reason to shorten it.
You can test whether your site qualifies for HSTS Preloading here. It also allows submitting the domain to Google Chrome's hardcoded HSTS list. Making it onto that list means your site will become even faster, as it is always accessed over HTTPS right away, instead of the browser following the redirection issued by the CDN.
Vercel uses a wildcard certificate issued for .vercel.app to handle all deployment URLs. Vercel generates these certificates through LetsEncrypt and keeps them updated automatically.
When you generate custom certificates with vercel certs issue, Vercel stores the keys in the database and encrypts them at rest within the CDN.
When a hostname is requested, the CDN reads the certificate and key from the database to establish the secure connection. Both are cached in memory for optimal SSL termination performance.
For a complete breakdown, see the SSL Labs report for vercel.com. You can select any IP address — the results are the same for all.
Was this helpful?