• Vercel Sandbox now enforces egress policies via SNI filtering and CIDR blocks. • Outbound TLS connections are matched at handshake, blocking unauthorized destinations pre‑data. • Default unrestricted internet access can be locked down to only needed services. • Host‑based filtering uses TLS handshake inspection, covering most encrypted traffic. • Supports wildcard allowlists for CDNs and dynamic policy updates on running sandboxes. • Legacy IP/CIDR rules remain for non‑TLS or older systems.
Sources: