hello. my security team is asking if we can remove headers which could be used in fingerprinting our site.
specifically, we want to remove:
x-vercel-id
x-vercel-cache
Server
content-length
I presume I could strip these headers via middleware, but before I even try I thought I should ask if doing so would have negative consequences?
I understand that info about the technology being used or that Vercel is the host can be determined easily with other means, but it could help prevent one or more attackers who are not dilligent past investigating request headers.
Yes, you can remove these headers from the Edge Middleware.
Now coming to the more important part
The content-length header is useful for the clients so might cause issues in absense
x-vercel-cache just shows the status of a cache hit or miss. so it’s not really a security issue but might be useful in debugging cache usage issues.
x-vercel-id is also useful for debugging issues.
Removing Server might not cause issues.
While, I understand the security concerns, I assure you that if you use Vercel, your site is protected by the Vercel Firewall.