Skip to content

Can I Set a Cookie from My Vercel Project Subdomain to Vercel.app?

In general, if you use the Set-Cookie header in your subdomain with name=cookievalue; Domain=yourapexdomain.com, the cookie will be applied to the apex domain yourapexdomain.com. If you do this at the level of your Vercel Project subdomain such as myprojectname.vercel.app, will the cookie be applied to vercel.app?

The Public Suffix List

Vercel.app is under the public suffix list for security purposes and as described in Wikipedia, one of it’s uses is to avoid supercookies. These are cookies with an origin set at the top-level or apex domain such as vercel.app. If an attacker in control of a Vercel project subdomain website sets up a supercookie, it can disrupt any site at the level of vercel.app or below such as anotherproject.vercel.app.

Therefore, for your own security, it is not possible to set a cookie at the level of vercel.app from your project subdomain.

Couldn't find the guide you need?