[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Feedback](/c/feedback/8)

# How to suppress X-Matched-Path response header on Vercel for security compliance

19 views · 0 likes · 2 posts


Andrew Schutzbank (@schutzworks) · 2026-03-16

## Problem
During a third-party penetration test, `X-Matched-Path` was flagged as an information disclosure issue. It exposes internal routing structure (e.g., `/admin`, `/api/chat`) on every response, which gives attackers a free map of the application’s route surface.

## What I've Tried
I attempted two approaches to remove it:

1.  **Middleware `headers.delete('X-Matched-Path')`** — header still present. Vercel’s edge layer injects it after middleware executes.
2.  **`next.config.ts` `async headers()` override** — setting it to an empty string. Vercel’s value still wins.

## Request
Vercel support confirmed this is a platform-level header with no config flag or project setting to suppress it, unlike `X-Powered-By` which has `poweredByHeader: false` in Next.js.

Add a project-level setting or `vercel.json` option to suppress platform headers like `X-Matched-Path`, similar to how Next.js allows `poweredByHeader: false`. Ideally a general mechanism for opting out of any non-essential platform headers.

Thanks!


Anshuman Bhardwaj (@anshumanb) · 2026-03-16

Hi @schutzworks, welcome to the Vercel Community!

Can you try setting the header value in `vercel.json` to an empty string? 

https://vercel.com/docs/project-configuration/vercel-json#headers