I’m hosting a NestJS API on Render, and I have both:
the default .onrender.com subdomain
and a custom domain connected to that service.
My frontend is hosted on Vercel, and I’m using Server Actions to make requests from the frontend to the Render API.
The problem: whenever a Server Action tries to call the API (regardless of whether I use the .onrender.com subdomain or the custom domain), I receive a 403 Forbidden response — the full Cloudflare “Access Denied” HTML page is returned.
What I’ve tried:
Adding a custom User-Agent (e.g., “MyApp Frontend”).
Setting Content-Type: application/json.
Testing with both GET and POST requests.
Verified that the exact same requests work perfectly from Postman or from localhost.
This only fails when the request originates from Vercel’s backend/server environment (Server Actions or API routes).
I’m not using Cloudflare on my end, so I believe Render is applying Cloudflare protection automatically behind the scenes, even when using a custom domain.
My questions:
Is there a way to disable or adjust this protection for my service to allow trusted requests from Vercel?
Can I whitelist a particular origin, IP range, or User-Agent?
Is this behavior expected when calling Render from other server-side environments?
Any help or guidance would be appreciated
Happy to provide extra details (error payload, headers, etc.) if needed.
They have since rolled it back, and no more requests are being blocked. Make sure to update your Next.js version to the patch release to prevent the security vulnerability from being exploited.
updating next.js does not seem to work for me, as i have a similar issue (fetching a render hosted API on a next.js vercel environment, specifically in a server component), and it still crashes. the logs recieve unexpected html instead of the expected json i would normally get.
also worth noting that fetching client-side does not give any errors. only server-side requests fail