Skip to main content
Custom Host Headers let you inject custom HTTP headers when Decipher’s test runner visits URLs that match a given hostname. This is useful for bypassing authentication on preview deployments — for example, Vercel’s deployment protection.

How Hostname Matching Works

Decipher matches hostnames using subdomain matching. When you add a hostname like vercel.app, it will match any URL whose host ends with that value — for example my-app-git-feat-acme.vercel.app. This means you only need one entry per hosting provider, not one per preview URL.

Setting Up Custom Host Headers

  1. Go to Settings > Testing
  2. Under Custom Host Headers, click Add Hostname
  3. Enter the hostname to match (e.g., vercel.app)
  4. Add one or more HTTP headers as key-value pairs
  5. Click Save
Any test that navigates to a matching URL will automatically include the configured headers in its requests.

Vercel Example

Vercel’s Deployment Protection blocks unauthenticated access to preview deployments. You can bypass it by sending a secret header.

Step 1 — Get your bypass secret

  1. Open your Vercel project’s Settings > Deployment Protection
  2. Under Protection Bypass for Automation, copy the secret value

Step 2 — Add the hostname and header in Decipher

  1. In Decipher, go to Settings > Testing and find Custom Host Headers
  2. Click Add Hostname and enter vercel.app
  3. Add a header:
    • Key: x-vercel-protection-bypass
    • Value: the secret you copied from Vercel
  4. Click Save
Decipher’s test runner automatically injects the companion header x-vercel-set-bypass-cookie: samesitenone alongside your bypass header so the protection cookie works correctly across navigations.