Builder returned invalid routes: should NOT be longer than 4096 char

It’s very much the same discussion as #8676, albeit with a new insight. I’ve also posted this in GitHub discussions at Error: Builder returned invalid routes: should NOT be longer than 4096 characters · vercel/vercel · Discussion #13283 · GitHub

My codebase has an extensive Content Security Policy (CSP) setup. I.e. many HTTP headers. Vercel is therefore giving the error ‘Builder returned invalid routes: should NOT be longer than 4096 characters’ during Vercel builds.

Please consider this discussion as a feature request and opportunity to help others.

• I would expect this error to happen on localhost in a next build since the Vercel-Next.js relation is strong.
• My solution was to relax the CSP config. Instead of listing hardcoded domains, I’ve basically reverted to a ‘allow most’ setup. I think Vercel’s technical setup should NOT reduce security.

The reason for the many CPS entries is the Google Tag Manager requirement to list all Google TLDs. See Use Tag Manager with a Content Security Policy  |  Tag Platform  |  Google for Developers

Hey @ddeleeuw. I moved this topic over to Feedback and shared with the team

I have the exact same issue.

curious, how did you implement an “allow most” setup for your CSP config? @ddeleeuw

Hi Matthew,

So instead of listing all Google TLDs in the connect-src directive, I’ve reverted the entries to just 'self' and 'https:'.

Since I use next-secure-headers, this is the full directive:

// Be advised, if we configure connectSrc in a strict setup, we need all
// Google TLDs in here, making the header list too long for usage on Vercel.
// @see https://community.vercel.com/t/builder-returned-invalid-routes-should-not-be-longer-than-4096-char/9624
connectSrc: ["'self'", 'https:', ...(process.env.NODE_ENV === 'development' ? ['http:'] : [])],