Reference

HTTPS/SSL

Out of the box, every Deployment on Vercel is served over an HTTPS connection. Learn more about how encryption works for the Edge Network here.
Table of Contents

Out of the box, every Deployment on Vercel is served over an HTTPS connection. The SSL certificates for these unique URLs are automatically generated free of charge.

Any HTTP requests to your Deployments are automatically forwarded to HTTPS using the 308 status code:

HTTP/1.1 308 Moved Permanently
Content-Type: text/plain
Location: https://<your-deployment-host>

An example showing how all HTTP requests are forwarded to HTTPS.

Enabling HTTPS redirection for Deployments is considered an industry standard, and therefore it is not possible to disable it. This ensures that web content is always served over a secure connection, which helps protect users' data and privacy.

If the client that is issuing requests to your Deployment wants to establish a WebSocket connection, please ensure it is connecting using HTTPS directly, as the WSS protocol does not support redirections.

​Vercel supports TLS version 1.2 and TLS version 1.3.

​Vercel supports both Session Identifiers and Session Tickets as methods for resuming a TLS connection. This can significantly improve Time To First Byte for second time visitors.

To ensure clients can validate TLS certificates as quickly as possible, we staple an OCSP response allowing them to skip a network request to check for revocation, which improves TTFB for first-time visitors.

In order to ensure the integrity of the data received and sent by any Deployment running on the Vercel platform, we only support strong ciphers with forward secrecy.

The following cipher algorithms are supported:

  • TLS_AES_128_GCM_SHA256 (TLS 1.3)
  • TLS_AES_256_GCM_SHA384 (TLS 1.3)
  • TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
  • ECDHE-ECDSA-AES128-GCM-SHA256 (TLS 1.2)
  • ECDHE-RSA-AES128-GCM-SHA256 (TLS 1.2)
  • ECDHE-ECDSA-AES256-GCM-SHA384 (TLS 1.2)
  • ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2)
  • ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2)
  • ECDHE-RSA-CHACHA20-POLY1305 (TLS 1.2)
  • DHE-RSA-AES256-GCM-SHA384 (TLS 1.2)

This is the recommended configuration from Mozilla.

The .vercel.app domain (and therefore all of its sub domains, which are the unique URLs set when creating a deployment) support HSTS automatically and are preloaded.

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload;

The default Strict-Transport-Security header for *.vercel.app

Custom domains use HSTS, but only for the particular subdomain.

Strict-Transport-Security: max-age=63072000;

The default Strict-Transport-Security header for custom domains

You can modify the Strict-Transport-Security header by configuring custom response headers in your project.

Theoretically, you could set the max-age parameter to a different value (it indicates how long the client should remember that your site is only accessible over HTTPS), but since we do not allow connections made over HTTP, there is no point in setting it to a shorter value, as the client can just remember it forever.

You can test whether your site qualifies for HSTS Preloading here . It also allows submitting the domain to Google Chrome's hardcoded HSTS list. Making it onto that list means your site will become even faster, as it is always accessed over HTTPS right away, instead of the browser following the redirection issued by our Network layer.

The unique URLs generated when creating a deployment are handled using a wildcard certificate issued for the .vercel.app domain. The Vercel platform generates wildcard certificates using LetsEncrypt and keeps them updated automatically.

When custom certificates are generated using vercel certs issue, however, their keys are placed in our database and encrypted at rest within the Network layer.

Then, once a hostname is requested, the certificate and key are read from the database and used for establishing the secure connection. In addition, both are cached in memory for optimal SSL termination performance.

Any features of the encryption mechanism that were left uncovered are documented on SSL Labs. You only need to make sure to select any IP address of your choice (it does not matter which one you pick – the results are the same for all).

Last updated on July 17, 2024