Skip to main content
Custom Host Headers let you inject custom HTTP headers when Decipher’s test runner visits URLs that match a given hostname. This is useful for bypassing authentication on preview deployments — for example, Vercel’s deployment protection.

How Hostname Matching Works

Decipher matches hostnames using subdomain matching. When you add a hostname like vercel.app, it will match any URL whose host ends with that value — for example my-app-git-feat-acme.vercel.app. This means you only need one entry per hosting provider, not one per preview URL.

Setting Up Custom Host Headers

  1. Go to Settings > Testing
  2. Under Custom Host Headers, click Add Hostname
  3. Enter the hostname to match (e.g., vercel.app)
  4. Add one or more HTTP headers as key-value pairs
  5. Click Save
Any test that navigates to a matching URL will automatically include the configured headers in its requests.

Vercel Example

Vercel’s Deployment Protection blocks unauthenticated access to preview deployments. You can bypass it by sending a secret header.

Step 1 — Get your bypass secret

  1. Open your Vercel project’s Settings > Deployment Protection
  2. Under Protection Bypass for Automation, copy the secret value

Step 2 — Add the hostname and header in Decipher

  1. In Decipher, go to Settings > Testing and find Custom Host Headers
  2. Click Add Hostname and enter vercel.app
  3. Add a header:
    • Key: x-vercel-protection-bypass
    • Value: the secret you copied from Vercel
  4. Click Save
Decipher’s test runner automatically injects the companion header x-vercel-set-bypass-cookie: samesitenone alongside your bypass header so the protection cookie works correctly across navigations.

Custom Script

Sometimes static HTTP headers aren’t enough — for example, when you need to compute an HMAC signature, attach a rotating token, or dynamically modify requests at runtime. Custom Script lets you write a JavaScript snippet that runs in the browser before any page scripts on every page load during a test.

When It Runs

Whenever a test navigates to a URL whose host matches the configured hostname, the script is injected and executed before the page’s own scripts run. This happens on every navigation (initial load, client-side route change, or redirect) to the matching host.

What It Has Access To

The script runs in the page’s browser context, so it has access to all standard browser APIs:
  • window and document
  • fetch and XMLHttpRequest
  • localStorage and sessionStorage
  • Cookies via document.cookie

Setting Up a Custom Script

  1. Go to Settings > Testing
  2. Under Custom Host Headers, click Add Hostname (or edit an existing one)
  3. Write your JavaScript in the Custom Script editor
  4. Click Save

Example — Injecting a Header into Every Fetch Request

const originalFetch = window.fetch;
window.fetch = function (...args) {
  let [resource, config] = args;
  config = config || {};
  config.headers = {
    ...config.headers,
    "my-header": "my-value",
  };
  return originalFetch(resource, config);
};
Custom Script and HTTP headers can be used together on the same hostname. HTTP headers are added to every outgoing request at the network level, while the custom script runs in the page’s JavaScript context.