← Back to Guides

    How to Secure Vercel

    Step-by-step guide to securing your Vercel deployment and protecting your applications.

    Vercel Security Context

    Vercel provides enterprise-grade hosting with automatic HTTPS and DDoS protection. Key security areas include environment variables, preview deployment access, and serverless function security.

    Security Checklist

    1

    Secure environment variables

    Critical

    Store secrets in Vercel environment variables, not in code. Use different values for preview vs production.

    2

    Protect preview deployments

    Critical

    Enable password protection or restrict preview deployments to team members only.

    3

    Configure authentication

    Critical

    Set up proper authentication for any protected routes or API endpoints.

    4

    Review serverless functions

    Audit API routes and serverless functions for security vulnerabilities.

    5

    Enable Web Application Firewall

    Use Vercel's WAF features if available on your plan.

    6

    Configure headers

    Set security headers in vercel.json or next.config.js.

    7

    Review redirects and rewrites

    Audit redirects for potential open redirect vulnerabilities.

    8

    Enable HTTPS

    Vercel enables HTTPS by default - verify it's working correctly.

    9

    Configure rate limiting

    Set up rate limiting on API routes to prevent abuse.

    10

    Review deployment logs

    Monitor logs for suspicious activity.

    11

    Set up team permissions

    Configure appropriate access levels for team members.

    12

    Enable audit logging

    Track deployments and configuration changes.

    13

    Review edge functions

    Audit Edge Functions for security issues.

    14

    Configure domain security

    Set up DNSSEC and CAA records for custom domains.

    15

    Review third-party integrations

    Audit integrations for security implications.

    16

    Enable DDoS protection

    Verify DDoS protection is active.

    17

    Review caching configuration

    Ensure sensitive data isn't cached inappropriately.

    18

    Configure CORS

    Set appropriate CORS policies for API routes.

    19

    Run security scan

    Use VibeEval to scan your deployed application.

    Related Resources

    Is Vercel Safe?

    In-depth security analysis.

    Vercel Checklist

    Interactive security checklist.

    Automate Your Security Checks

    Let VibeEval scan your Vercel application for vulnerabilities.

    Scan Your App