Out of the box, every Deployment on ZEIT Now is served over an HTTPS connection. The SSL certificates for these unique URLs are automatically generated free of charge.
Furthermore, any HTTP requests to your Deployments are automatically forwarded to HTTPS using the 301
status code:
HTTP/1.1 301 Moved Permanently Content-Type: text/plain Location: https://<your-deployment-host>
It is not possible to disable this redirection or prevent the Deployment from being served over HTTPS as it is considered an industry standard to serve web content over a secure connection.
Supported TLS Versions
ZEIT Now supports TLS version 1.2.
Supported Ciphers
In order to ensure the integrity of the data received and sent by any Deployment running on the ZEIT Now platform, we only support ciphers with forward secrecy.
The following cipher algorithms are supported:
- ECDH+AESGCM
- ECDH+AES256
- ECDH+AES128
- DH+3DES
- !ADH
- !AECDH
- !MD5
- !EDH-RSA-DES-CBC3-SHA
Support for HSTS
Only the .now.sh
domain (and therefore all of its sub domains, which are the unique URLs set when creating a deployment) support HSTS.
You can enable this by setting the Strict-Transport-Security
(more details) header to the following value in your Deployment:
Strict-Transport-Security: max-age=31536000; includeSubDomains;
Theoretically, you could set the max-age
parameter to a different value (it indicates how long the client should remember that your site is only accessible over HTTPS), but since we do not allow connections made over HTTP, there is no point in setting it to a shorter value, as the client can just remember it forever.
How Certificates Are Handled
The unique URLs generated when creating a deployment are handled using a wildcard certificate issued for the .now.sh
domain. The ZEIT Now platform generates wildcard certificates using LetsEncrypt and keeps them updated automatically.
When custom certificates are generated using now certs issue
, however, their keys are placed in our database and encrypted at rest within the Network layer.
Then, once a hostname is requested, the certificate and key are read from the database and used for establishing the secure connection. In addition, both are cached in memory for optimal SSL termination performance.
Full Specification
Any features of the encryption mechanism that were left uncovered are documented here. You only need to make sure to select any IP address of your choice (it does not matter which one you pick – the results are the same for all).