Vercel Sandbox's firewall now routes outbound sandbox traffic through a user-controlled proxy. Set a forwardURL on any allowed domain and matching HTTPS requests are forwarded to your server, carrying four identification headers: vercel-forwarded-host, vercel-forwarded-scheme, vercel-forwarded-port, and a Vercel-issued OIDC token that authenticates the source team, project, and sandbox.
The more important addition is matchers. You can now filter which requests get proxied or brokered based on path, method, query string, or headers. That means you can forward only POST requests to a specific API endpoint while leaving all other traffic untouched. Credentials brokering, not just logging and debugging, is also scoped to these filters.
Both features are in beta, available on Pro and Enterprise plans via the @vercel/sandbox@beta SDK. Read the full docs for the proxying spec and matcher syntax: the implementation details on the OIDC token verification flow and the exact matcher configuration schema are worth the full read.
[READ ORIGINAL →]