← Back to Deployment Resources

    Vercel Security Hardening Guide

    Comprehensive security configuration guide for deploying AI-generated applications on Vercel. Protect your serverless deployments with proper environment variable management, deployment protection, and security headers.

    Vercel Defaults Are Not Production-Ready

    Vercel's default settings prioritize developer experience over security. Preview deployments are public by default, and security headers must be manually configured. AI-generated apps often miss these critical security configurations.

    Vercel Security Checklist

    Follow these 12 steps to harden your Vercel deployment. Critical items must be configured before launching to production.

    Step 1

    Environment variable encryption

    Critical

    Ensure all sensitive environment variables are encrypted at rest and use Vercel's built-in secrets management instead of plain text.

    Step 2

    Disable preview deployments for sensitive branches

    Critical

    Configure deployment protection to prevent unauthorized access to preview deployments containing production-like data.

    Step 3

    Enable deployment protection

    Critical

    Require authentication for all preview deployments to prevent public access to staging environments and sensitive features.

    Step 4

    Configure security headers

    Critical

    Set up CSP, HSTS, X-Frame-Options, and other security headers in vercel.json or next.config.js to protect against common attacks.

    Step 5

    Restrict deployment branches

    Critical

    Configure which branches can trigger deployments to prevent malicious code from being deployed to production infrastructure.

    Step 6

    Enable web application firewall

    Critical

    Use Vercel's Firewall feature to block malicious requests, DDoS attacks, and suspicious traffic patterns.

    Step 7

    Set up log drains

    Configure log forwarding to external monitoring tools for security event analysis and threat detection.

    Step 8

    Review team access permissions

    Audit who has deployment access and follow principle of least privilege for team member roles.

    Step 9

    Enable automatic security updates

    Configure Vercel to automatically rebuild when security patches are released for your framework dependencies.

    Step 10

    Configure DDoS protection settings

    Set up rate limiting and DDoS mitigation rules appropriate for your application's traffic patterns.

    Step 11

    Review function execution limits

    Set appropriate timeout and memory limits for serverless functions to prevent resource exhaustion attacks.

    Step 12

    Enable audit logging

    Turn on comprehensive audit logs for all deployment, configuration, and team access changes.

    Common Vercel Misconfigurations

    Public Preview Deployments

    Critical

    Preview URLs are publicly accessible without authentication, exposing staging data and unfinished features.

    Hardcoded Secrets in Code

    Critical

    API keys and tokens committed to repository instead of using Vercel environment variables.

    Missing Security Headers

    High

    CSP, HSTS, and other protective headers not configured, leaving app vulnerable to XSS and clickjacking.

    Overly Permissive CORS

    Medium

    CORS headers allow all origins instead of restricting to trusted domains only.

    Related Resources

    Vercel Getting Started Guide

    Learn the basics of deploying to Vercel

    Environment Variables Security

    Best practices for managing secrets across platforms

    CI/CD Security Guide

    Secure your GitHub Actions deployment pipeline

    Security Audit Checklist

    Complete pre-launch security review framework

    Scan Your Vercel Deployment

    VibeEval can automatically detect security misconfigurations in your Vercel deployment. Get instant feedback on environment variable exposure, missing security headers, and deployment protection issues.

    Start Free Security Scan