{"id":2754,"date":"2026-04-28T14:04:14","date_gmt":"2026-04-28T14:04:14","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/"},"modified":"2026-04-28T14:04:14","modified_gmt":"2026-04-28T14:04:14","slug":"http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/","title":{"rendered":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)"},"content":{"rendered":"<div>\n<p>This weekend, we saw a few requests to our honeypot that included an &#8220;X-Vercel-Set-Bypass-Cookie&#8221; header. A sample request:<\/p>\n<blockquote>\n<p><tt>GET \/ HTTP\/1.1<br \/>\nUser-Agent:\u00a0Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36<br \/>\nAccept:\u00a0text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/ *;q=0.8<br \/>\nAccept-Language:\u00a0en-US,en;q=0.5<br \/>\nAccept-Encoding:\u00a0gzip, deflate, br<br \/>\nCache-Control: no-cache<br \/>\nPragma:\u00a0no-cache<br \/>\nConnection: keep-alive<br \/>\nX-Vercel-Set-Bypass-Cookie: samesite-none-secure<br \/>\nUpgrade-Insecure-Requests: 1<br \/>\nX-Forwarded-From: 21.235.92.139<br \/>\nX-Real-Iphone: 21.235.92.139<br \/>\nReferer: [redacted, same as \"Host\" header]<br \/>\nHost:\u00a0[redacted]<\/tt><\/p>\n<\/blockquote>\n<p>Vercel documents the &#8220;x-vercel-protection-bypass&#8221; header(note: no &#8220;Cookie&#8221; part) as a secret that can be configured to disable certain protections during testing. This type of bypass feature is common in various platforms. In particular, web application firewall features often need to be disabled to allow higher request rates during CI\/CD pipeline operations. The value set in the header is a user-configurable secret[1].<\/p>\n<p>The\u00a0X-Vercel-Set-Bypass-Cookie allows\u00a0testing in browsers\u00a0and maintains the bypass by having the server set a cookie to indicate the bypass. There are two options according to Vercel&#8217;s documentation:<\/p>\n<ol>\n<li>True: enables\u00a0the cookie<\/li>\n<li>samesitenone: enables the cookie, and set the same-site property to none.<\/li>\n<\/ol>\n<p>I did not see the &#8220;<tt>samesite-none-secure<\/tt>&#8221; documented by Vercel.<\/p>\n<p>The most likely intention of the header is to relax security settings, maybe even steal secrets, should Vercel expose them in the cookie. I have not had a chance to test the request against a Vercel website. Any input as to the intent is welcome.<\/p>\n<p>The request was also set via an open proxy, likely to protect the attacker&#8217;s identity, but it failed due to the configured proxy headers.<\/p>\n<p>[1] https:\/\/vercel.com\/docs\/deployment-protection\/methods-to-bypass-deployment-protection\/protection-bypass-automation\u00a0<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>This weekend, we saw a few requests to our honeypot that included an &#8220;X-Vercel-Set-Bypass-Cookie&#8221; header. A sample request: GET \/ HTTP\/1.1 User-Agent:\u00a0Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Accept:\u00a0text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/ *;q=0.8 Accept-Language:\u00a0en-US,en;q=0.5 Accept-Encoding:\u00a0gzip, deflate, br Cache-Control: no-cache Pragma:\u00a0no-cache Connection: keep-alive X-Vercel-Set-Bypass-Cookie: samesite-none-secure Upgrade-Insecure-Requests: 1 X-Forwarded-From: 21.235.92.139 X-Real-Iphone: 21.235.92.139 Referer: [redacted, same [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2754","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"This weekend, we saw a few requests to our honeypot that included an &#8220;X-Vercel-Set-Bypass-Cookie&#8221; header. A sample request: GET \/ HTTP\/1.1 User-Agent:\u00a0Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Accept:\u00a0text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/ *;q=0.8 Accept-Language:\u00a0en-US,en;q=0.5 Accept-Encoding:\u00a0gzip, deflate, br Cache-Control: no-cache Pragma:\u00a0no-cache Connection: keep-alive X-Vercel-Set-Bypass-Cookie: samesite-none-secure Upgrade-Insecure-Requests: 1 X-Forwarded-From: 21.235.92.139 X-Real-Iphone: 21.235.92.139 Referer: [redacted, same [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-28T14:04:14+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)\",\"datePublished\":\"2026-04-28T14:04:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\"},\"wordCount\":302,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\",\"name\":\"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-04-28T14:04:14+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/","og_locale":"en_US","og_type":"article","og_title":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited","og_description":"This weekend, we saw a few requests to our honeypot that included an &#8220;X-Vercel-Set-Bypass-Cookie&#8221; header. A sample request: GET \/ HTTP\/1.1 User-Agent:\u00a0Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Accept:\u00a0text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/ *;q=0.8 Accept-Language:\u00a0en-US,en;q=0.5 Accept-Encoding:\u00a0gzip, deflate, br Cache-Control: no-cache Pragma:\u00a0no-cache Connection: keep-alive X-Vercel-Set-Bypass-Cookie: samesite-none-secure Upgrade-Insecure-Requests: 1 X-Forwarded-From: 21.235.92.139 X-Real-Iphone: 21.235.92.139 Referer: [redacted, same [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-04-28T14:04:14+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)","datePublished":"2026-04-28T14:04:14+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/"},"wordCount":302,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/","name":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-04-28T14:04:14+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/28\/http-requests-with-x-vercel-set-bypass-cookie-header-tue-apr-28th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2754"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2754\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2754"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}