Vercel Security Checklist: 15-Item Guide Before Deploying

TL;DR

This 15-item checklist covers critical Vercel security configurations: environment variables, security headers, access control, and API route protection. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.

Vercel makes deploying so seamless that it is tempting to push to main and move on. But there are a handful of platform-specific settings -- environment variable prefixes, preview deployment access, security headers -- that are easy to misconfigure if you are not paying attention. A quick pass through this list will save you headaches.

Quick Checklist (5 Critical Items)

Store all secrets in Vercel Environment VariablesNever commit secrets to code - use Project Settings > Environment Variables

Use correct variable prefixesNEXT_PUBLIC_ exposes to browser - server secrets should NOT have this prefix

Add authentication to API routesEvery API route should verify the user before processing requests

Protect preview deploymentsEnable Vercel Authentication for previews with sensitive data

Add Content-Security-Policy headerDefine trusted sources for scripts, styles, and other resources

Environment Variables 4

Store all secrets in Vercel Environment VariablesGo to Project Settings > Environment Variables. Never commit secrets to code. How to configure env variables

Use correct variable prefixesOnly NEXT_PUBLIC_ vars are exposed to browser. Server secrets should NOT have this prefix. How to separate client/server keys

Set environment-specific variablesUse different values for Production, Preview, and Development environments. How to set up Vercel env vars

Verify no secrets in vercel.jsonThe vercel.json file is committed to git. Keep it secret-free. How to secure config files

Security Headers 4

Add X-Frame-Options headerSet to DENY or SAMEORIGIN to prevent clickjacking attacks. How to configure security headers

Add Content-Security-PolicyDefine trusted sources for scripts, styles, and other resources. How to configure CSP

Enable Strict-Transport-SecurityForce HTTPS connections. Vercel handles SSL, but HSTS adds protection. How to enable HSTS

Add X-Content-Type-Options: nosniffPrevent MIME type sniffing attacks. How to configure security headers

Access Control 4

Protect preview deploymentsEnable Vercel Authentication or use password protection for previews with sensitive data. How to protect preview deployments

Review team member permissionsAudit who has access to your Vercel project and remove unnecessary members. How to audit team access

Secure deployment hooksIf using deploy hooks, treat the URL as a secret. Rotate if compromised. How to secure deploy hooks

Check GitHub integration permissionsVerify Vercel only has access to necessary repositories. How to review GitHub permissions

API Routes 3

Add authentication to API routesEvery API route should verify the user before processing requests. How to implement auth checks

Implement rate limitingUse Vercel's rate limiting or implement your own to prevent abuse. How to implement rate limiting

Validate all inputsCheck request body, query params, and headers before processing. How to validate inputs

Vercel Security Best Practices

Vercel handles infrastructure security, SSL certificates, and DDoS protection automatically. Your responsibility is configuring environment variables correctly, adding security headers, and securing your application code.

The most common mistake is using the NEXT_PUBLIC_ prefix on secrets that should be server-only. Variables with this prefix are bundled into your JavaScript and visible to anyone viewing your site source.

How do I add security headers on Vercel?

Add security headers in vercel.json using the headers property, or in next.config.js for Next.js apps using the headers function. Include headers like X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security.

Are Vercel environment variables secure?

Yes, Vercel encrypts environment variables at rest. Variables without the NEXT_PUBLIC_ prefix are only available server-side. Ensure you use the correct prefix to avoid exposing secrets to the browser. Also set environment-specific values for Production vs Preview.

Should I protect preview deployments?

Yes, if your previews contain sensitive data or functionality. Enable Vercel Authentication for your project, or use password protection. Preview URLs are semi-random but can be discovered or shared accidentally.

TL;DR

Quick Checklist (5 Critical Items)

Environment Variables 4

Security Headers 4

Access Control 4

API Routes 3

Vercel Security Best Practices

How do I add security headers on Vercel?

Are Vercel environment variables secure?

Should I protect preview deployments?

Related Articles

Vercel Security Guide

How to Configure Vercel Headers

Next.js Security Checklist

Check Your Vercel Deployment

Vercel Security Checklist: 15-Item Guide Before Deploying