Skip to content
3 min read

Edge Middleware Limitations

Learn about the limitations and restrictions of using Edge Middleware with Vercel with this reference.

Edge Middleware is neither a Node.js nor browser application, which means it doesn't have access to all browser and Node.js APIs. Currently, our runtime offers a subset of browser APIs and some Node.js APIs, and we plan to implement more functionality in the future.

There are some restrictions to writing middleware, which is documented in the Edge Middleware API guide.

In summary:

  • Use ES modules
  • Most libraries that use Node.js APIs as dependencies can't be used in Edge Middleware. While we're adding support for more Node.js APIs over time, see the currently available APIs
  • Dynamic code execution (such as eval) is not allowed (see the next section for more details)

Dynamic code execution is not available in Edge Middleware for security reasons. For example, the following APIs cannot be used:

Evaluates JavaScript code represented as a string
Creates a new function with the code provided as an argument
Compiles and instantiates a WebAssembly module from a buffer source

Most importantly, you need to make sure libraries used in your Edge Middleware don't rely on dynamic code execution because it leads to a runtime error.

Edge Middleware must begin sending a response within 25 seconds.

You may continue streaming a response beyond that time and you can continue with asynchronous workloads in the background, after returning the response.

Edge Middleware can only use up to 128MB. If it exceeds this limit, the execution will be aborted and we will return a 502 error.

Limit (after gzip compression)
1 MB
2 MB
4 MB

The maximum size for an Edge Function includes your JavaScript code, imported libraries and files (such as fonts), and all files bundled in the function.

If you reach the limit, make sure the code you are importing in your function is used and is not too heavy. You can use a package size checker tool like bundle to check the size of a package and search for a smaller alternative.

While Vercel allows Environment Variables up to a total of 64 KB in size, Edge Middleware is limited to 5KB per Environment Variable.

Environment Variables can be accessed through the process.env object. Since JavaScript objects have methods to allow some operations on them, there are limitations on the names of Environment Variables to avoid having ambiguous code.

The following names will be ignored as Environment Variables to avoid overriding the process.env object prototype:

  • constructor
  • __defineGetter__
  • __defineSetter__
  • hasOwnProperty
  • __lookupGetter__
  • __lookupSetter__
  • isPrototypeOf
  • propertyIsEnumerable
  • toString
  • valueOf
  • __proto__
  • toLocaleString

Therefore, your code will always be able to use them with their expected behavior:

// returns `true`, if `process.env.MY_VALUE` is used anywhere & defined in the Vercel dashboard
Maximum URL length
14 KB
Maximum request body length
4 MB
Maximum number of request headers
Maximum request headers length
16 KB

The maximum number of requests from fetch API is 950 per Edge Middleware invocation.

To avoid CPU timing attacks, like Spectre, date and time functionality is not generally available. In particular, the time returned from only advances after I/O operations, like fetch. For example:

export default function middleware(request: Request) {
  for (let i = 0; i < 1000; i++) {
    console.log(; // Prints the same value 1000 times.
  await fetch('');
  console.log(; // Prints another value.
Last updated on March 2, 2023