Vercel Skew Protection __vdpl cookie missing Path attribute on React Router

michelebertoli · March 10, 2026, 4:03pm

Hello everyone,
last week I submitted a little fix for skew protection on React Router
and I didn’t see any update since then

I just realised I should have discussed this here first
and so here I am : )

Please let me know how to proceed

github.com/vercel/vercel

fix: Add Path=/ to __vdpl Skew Protection cookie (#15372)

main ← MicheleBertoli:rr-skew

opened 06:35PM - 04 Mar 26 UTC

MicheleBertoli

+2 -2

The `__vdpl` cookie is set without a `Path` attribute in both `entry.server.js` …and `edge/entry.server.js`: ```js responseHeaders.append('Set-Cookie', `__vdpl=${vercelDeploymentId}; HttpOnly`); ``` Per [RFC 6265 Section 5.1.4](https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4), when `Path` is omitted the browser computes a default path from the request URI (everything up to the last `/`). This means: | Page loaded | Cookie path | Sent on `/assets/*`? | |--------|--------|--------| | `/dashboard` | `/` | Yes | | `/dashboard/clients` | `/dashboard` | No | | `/dashboard/clients/abc` | `/dashboard/clients` | No | When a user lands on a deep URL, the `__vdpl` cookie is not sent on subsequent requests for `/assets/*.js` files. After a new deployment, the browser tries to lazy-load old content-hashed chunks, but the asset requests don’t include the cookie, resulting in 404s. We observed this in production: the browser had accumulated multiple `__vdpl` cookies with different paths pointing to different deployment IDs: | Deployment ID | Path | |--------|--------| | `dpl_825k59...` | `/dashboard/clients/prod...` | | `dpl_H583YD...` | `/` | | `dpl_8V9bE7...` | `/assets` | Vercel logs showed asset requests hitting the serverless function (`/*` route, 404) instead of being served from the CDN, consistent with the cookie not being sent and Skew Protection not kicking in. Every other Vercel framework adapter sets `Path=/`: - Next.js (`next/dist/lib/load-custom-routes.js`): ```js value: `__vdpl=${config.deploymentId}; Path=/; HttpOnly` ``` - SvelteKit (`@sveltejs/adapter-vercel`): ```js 'Set-Cookie': `__vdpl=${process.env.VERCEL_DEPLOYMENT_ID}; Path=${builder.config.kit.paths.base}/; SameSite=Strict; ...` ``` - Qwik (`@builder.io/qwik`): ```js cookies.set(VERCEL_COOKIE, deploymentId, { path: baseUrl, ... }); ``` The fix adds `Path=/` to the `Set-Cookie` header in both the Node and Edge entry servers, consistent with all other framework implementations. > [!NOTE] > Low Risk Change > > This PR adds Path=/ attribute to an existing cookie for Vercel Skew Protection, which is a defensive fix ensuring the cookie is sent on all requests rather than being scoped to deep paths. > > - Adds Path=/ to __vdpl cookie in both Node and Edge entry servers > - Fixes cookie scoping bug where deep URLs caused cookie to not be sent on asset requests > > <sup>Risk assessment for [commit dc27ebb](https://github.com/vercel/vercel/commit/dc27ebb877745d2aad1f2aad120151f38bfcca2f).</sup>

pawlean · March 10, 2026, 6:18pm

Thank you for your contribution, Michele! Welcome to the Vercel Community

I’ve passed this onto the CICD team to review!

michelebertoli · May 18, 2026, 9:42am

Gentle nudge on this one

It’s a 2-line change that brings @vercel/react-router in line with how Next.js, SvelteKit, and Qwik already set __vdpl
and it unblocks Skew Protection for deep URLs

Happy to add a changeset or any tweaks that’d help, just let me know

Topic		Replies	Views
Vercel cookie issue Help	5	369	November 4, 2024
SvelteKit issues on the Vercel platform Help svelte	3	200	August 8, 2025
Rewrite to index.html ignored for React + Vite SPA (404 on routes) Help react , vite	5	1285	April 14, 2025
Version skew; What happens after 12 hours? Help	3	125	August 6, 2024
How to suppress X-Matched-Path response header on Vercel for security compliance Feedback nextjs , cdn , edge-request	1	60	March 16, 2026

Vercel Skew Protection __vdpl cookie missing Path attribute on React Router

Related topics