Starting April 6, 2026, Vercel’s CDN began honoring Cache-Control headers from external origins by default for all new projects. Previously, responses proxied through rewrites to external backends were uncached unless you explicitly opted in via the x-vercel-enable-rewrite-caching header in vercel.json. The change brings Vercel in line with standard CDN practice, but it also means any misconfigured upstream will now get cached silently at the edge.
What changed and when
Vercel announced the change on March 30, 2026. New projects created after April 6 automatically cache responses from external origins based on the headers those origins send. The CDN now respects three upstream headers: Cache-Control, CDN-Cache-Control, and Vercel-CDN-Cache-Control. Origins can also attach Vercel-Cache-Tag headers to support tag-based purging.
Existing projects are not automatically enrolled. Teams can opt in through the project dashboard. If specific paths need to stay uncached, setting x-vercel-enable-rewrite-caching to 0 in the response headers disables caching for those routes.
Why the old behavior existed
Before this change, Vercel’s CDN treated proxied external responses as uncached by default. If you used rewrites in vercel.json to proxy requests to a headless CMS, a third-party API, or any external backend, every single request hit the upstream origin. The only way to enable caching was to add x-vercel-enable-rewrite-caching: 1 to the request headers in your rewrite configuration.
This was conservative but predictable. Teams with poorly configured upstreams (missing Cache-Control entirely, or setting max-age to absurdly high values) never saw stale content at the edge because the edge never cached anything. The trade-off was latency. According to analysis published at zhul.in, Vercel’s default HTML cache-control header is public, max-age=0, must-revalidate, which forces origin validation on every request. The same analysis measured 450ms HTML load time under defaults versus 41ms after adding s-maxage=600, a 10x latency gap that most Vercel users never notice.
Who is affected
The blast radius is proportional to how many external rewrites a project has accumulated. The most exposed setups:
- Headless CMS backends (Sanity, Contentful, Strapi) proxied through Vercel rewrites. If the CMS sends permissive
Cache-Controlheaders, content updates may take longer to appear. - Third-party API proxies where the upstream sets a long
max-agewithoutstale-while-revalidate. The CDN will faithfully cache stale responses for the full duration. - Legacy origins that send no
Cache-Controlheader at all. Vercel’s behavior for missing headers under the new regime is not documented clearly in the changelog, which is itself worth auditing before opting in.
The misconfiguration risk
The core problem is not that Vercel caches too aggressively. It is that most teams using external rewrites never thought about cache semantics because Vercel was handling it by not caching at all. Now that the CDN respects upstream headers, every misconfigured origin becomes a live caching policy.
Common failure modes:
- Over-cached API responses: An upstream API returns
Cache-Control: max-age=86400because that header was set for a different CDN layer. Now Vercel caches it for 24 hours at the edge. - Missing headers entirely: If an origin sends no
Cache-Control, the CDN’s default behavior determines staleness. Teams should verify what their origins actually send before opting in. stale-while-revalidateassumptions: Teams who relied on Vercel revalidating on every request (the old behavior) will lose that implicit guarantee. The new behavior depends entirely on what the origin declares.
How to audit and fix
The remediation path is straightforward but requires a per-route audit:
- Check what your upstream origins actually send. Run
curl -Iagainst each proxied endpoint and inspect theCache-Controlheader. If it is missing or misconfigured, fix the upstream before enabling caching. - Use
CDN-Cache-ControlorVercel-CDN-Cache-Controlto set caching policy independently of what the browser sees. This is the intended escape hatch: the origin can serve one policy to browsers and a different one to Vercel’s CDN. - Opt out specific paths by setting
x-vercel-enable-rewrite-cachingto0in the response headers for routes where caching is undesirable or where the upstream cannot be easily modified. - Set explicit
s-maxagefor routes that should be cached. Thes-maxagedirective targets shared caches (CDNs) specifically, leaving the browser-facingmax-ageuntouched.
Why Vercel was the outlier
Standard CDN practice is to honor origin Cache-Control headers by default. Vercel’s old uncached-by-default stance for external rewrites was a departure from this norm, likely a deliberate choice to reduce support load from developers surprised by stale content. The flip brings Vercel in line with industry convention, but the quiet years of non-standard behavior mean many Vercel projects accumulated external rewrites with no cache-awareness at all.
Vercel, valued at $9.3 billion after a $300M Series F in September 2025 co-led by Accel and GIC, has been gradually shifting its infrastructure model toward more standard CDN semantics. The external-origin caching change is part of that trajectory. Mitchell Hashimoto joined the board in March 2026, which suggests infrastructure rigor is a priority.
The practical takeaway: if you run Vercel rewrites to external origins, audit the headers those origins return before opting in. The fix for any given route is a one-line config change. The cost of skipping the audit is serving stale or missing content to every edge-cached visitor until someone notices.
Frequently Asked Questions
Does the April 6 change affect Vercel’s built-in HTML caching for Next.js-rendered pages?
No — external-origin rewrite caching and Vercel’s own HTML function caching are separate config surfaces. The 450ms-vs-41ms latency gap from the zhul.in analysis concerns server-rendered HTML responses, not proxied backends. Teams managing both need to tune two independent caching policies.
How large was the gap between Vercel and Cloudflare on origin-cache behavior?
Cloudflare operates across 335+ cities and has always treated upstream Cache-Control as authoritative by default. Vercel, running on AWS infrastructure, was the notable holdout among modern edge platforms in requiring explicit opt-in to cache proxied external responses — a gap that persisted for years.
What happens if a proxied origin sends no Cache-Control header after opting in?
The changelog does not document the fallback behavior for missing headers. Vercel’s architecture is closer to a global multi-region storage mesh than a traditional origin-CDN model, so even uncached requests hit a nearby storage node rather than the true upstream. But the exact staleness policy for headerless responses should be tested per-route before flipping the toggle.
What does the caching change signal about Vercel’s infrastructure direction?
Mitchell Hashimoto’s board appointment in March 2026 and the shift toward standard CDN semantics suggest more infrastructure-level behavior changes ahead. A security breach disclosed via Context.ai on April 19 — less than two weeks after the caching rollout — is a reminder that platform-level changes tend to arrive in clusters, making advisory monitoring as important as config audits.