How to suppress X-Matched-Path response header on Vercel for security compliance

schutzworks · March 16, 2026, 3:11pm

Problem

During a third-party penetration test, X-Matched-Path was flagged as an information disclosure issue. It exposes internal routing structure (e.g., /admin, /api/chat) on every response, which gives attackers a free map of the application’s route surface.

What I’ve Tried

I attempted two approaches to remove it:

Middleware headers.delete('X-Matched-Path') — header still present. Vercel’s edge layer injects it after middleware executes.
next.config.ts async headers() override — setting it to an empty string. Vercel’s value still wins.

Request

Vercel support confirmed this is a platform-level header with no config flag or project setting to suppress it, unlike X-Powered-By which has poweredByHeader: false in Next.js.

Add a project-level setting or vercel.json option to suppress platform headers like X-Matched-Path, similar to how Next.js allows poweredByHeader: false. Ideally a general mechanism for opting out of any non-essential platform headers.

Thanks!

anshumanb · March 16, 2026, 3:14pm

Hi @schutzworks, welcome to the Vercel Community!

Can you try setting the header value in vercel.json to an empty string?

Topic		Replies	Views
Response Headers not set on Vercel environment Help nextjs	2	244	December 5, 2024
Change or remove Response Header "Server": "Vercel" Help	3	565	October 31, 2024
Vercel doesn't cache according to our cache headers Help nextjs	3	443	September 10, 2024
Possible to remove vercel-related headers? Help	2	324	June 25, 2025
Content Headers from NextJS route handlers Help	7	170	September 29, 2024

How to suppress X-Matched-Path response header on Vercel for security compliance

Problem

What I’ve Tried

Request

Related topics