[{"data":1,"prerenderedAt":213},["ShallowReactive",2],{"blog-checklists/vercel-security-checklist":3},{"id":4,"title":5,"body":6,"category":187,"date":188,"dateModified":189,"description":190,"draft":191,"extension":192,"faq":193,"featured":191,"headerVariant":198,"image":199,"keywords":199,"meta":200,"navigation":201,"ogDescription":202,"ogTitle":199,"path":203,"readTime":199,"schemaOrg":204,"schemaType":205,"seo":206,"sitemap":207,"stem":208,"tags":209,"twitterCard":211,"__hash__":212},"blog/blog/checklists/vercel-security-checklist.md","Vercel Security Checklist: 15-Item Guide Before Deploying",{"type":7,"value":8,"toc":181},"minimark",[9,16,19,22,47,65,84,102,117,122,125,128,150,169],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 15-item checklist covers critical Vercel security configurations: environment variables, security headers, access control, and API route protection. 5 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.",[13,17,18],{},"Vercel makes deploying so seamless that it is tempting to push to main and move on. But there are a handful of platform-specific settings -- environment variable prefixes, preview deployment access, security headers -- that are easy to misconfigure if you are not paying attention. A quick pass through this list will save you headaches.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Never commit secrets to code - use Project Settings > Environment Variables","Store all secrets in Vercel Environment Variables",[27,32],{"description":33,"label":34},"NEXT_PUBLIC_ exposes to browser - server secrets should NOT have this prefix","Use correct variable prefixes",[27,36],{"description":37,"label":38},"Every API route should verify the user before processing requests","Add authentication to API routes",[27,40],{"description":41,"label":42},"Enable Vercel Authentication for previews with sensitive data","Protect preview deployments",[27,44],{"description":45,"label":46},"Define trusted sources for scripts, styles, and other resources","Add Content-Security-Policy header",[23,48,51,54,57,61],{"title":49,"count":50},"Environment Variables","4",[27,52],{"description":53,"label":30},"Go to Project Settings > Environment Variables. Never commit secrets to code. How to configure env variables",[27,55],{"description":56,"label":34},"Only NEXT_PUBLIC_ vars are exposed to browser. Server secrets should NOT have this prefix. How to separate client/server keys",[27,58],{"description":59,"label":60},"Use different values for Production, Preview, and Development environments. How to set up Vercel env vars","Set environment-specific variables",[27,62],{"description":63,"label":64},"The vercel.json file is committed to git. Keep it secret-free. How to secure config files","Verify no secrets in vercel.json",[23,66,68,72,76,80],{"title":67,"count":50},"Security Headers",[27,69],{"description":70,"label":71},"Set to DENY or SAMEORIGIN to prevent clickjacking attacks. How to configure security headers","Add X-Frame-Options header",[27,73],{"description":74,"label":75},"Define trusted sources for scripts, styles, and other resources. How to configure CSP","Add Content-Security-Policy",[27,77],{"description":78,"label":79},"Force HTTPS connections. Vercel handles SSL, but HSTS adds protection. How to enable HSTS","Enable Strict-Transport-Security",[27,81],{"description":82,"label":83},"Prevent MIME type sniffing attacks. How to configure security headers","Add X-Content-Type-Options: nosniff",[23,85,87,90,94,98],{"title":86,"count":50},"Access Control",[27,88],{"description":89,"label":42},"Enable Vercel Authentication or use password protection for previews with sensitive data. How to protect preview deployments",[27,91],{"description":92,"label":93},"Audit who has access to your Vercel project and remove unnecessary members. How to audit team access","Review team member permissions",[27,95],{"description":96,"label":97},"If using deploy hooks, treat the URL as a secret. Rotate if compromised. How to secure deploy hooks","Secure deployment hooks",[27,99],{"description":100,"label":101},"Verify Vercel only has access to necessary repositories. How to review GitHub permissions","Check GitHub integration permissions",[23,103,106,109,113],{"title":104,"count":105},"API Routes","3",[27,107],{"description":108,"label":38},"Every API route should verify the user before processing requests. How to implement auth checks",[27,110],{"description":111,"label":112},"Use Vercel's rate limiting or implement your own to prevent abuse. How to implement rate limiting","Implement rate limiting",[27,114],{"description":115,"label":116},"Check request body, query params, and headers before processing. How to validate inputs","Validate all inputs",[118,119,121],"h2",{"id":120},"vercel-security-best-practices","Vercel Security Best Practices",[13,123,124],{},"Vercel handles infrastructure security, SSL certificates, and DDoS protection automatically. Your responsibility is configuring environment variables correctly, adding security headers, and securing your application code.",[13,126,127],{},"The most common mistake is using the NEXT_PUBLIC_ prefix on secrets that should be server-only. Variables with this prefix are bundled into your JavaScript and visible to anyone viewing your site source.",[129,130,131,138,144],"faq-section",{},[132,133,135],"faq-item",{"question":134},"How do I add security headers on Vercel?",[13,136,137],{},"Add security headers in vercel.json using the headers property, or in next.config.js for Next.js apps using the headers function. Include headers like X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security.",[132,139,141],{"question":140},"Are Vercel environment variables secure?",[13,142,143],{},"Yes, Vercel encrypts environment variables at rest. Variables without the NEXT_PUBLIC_ prefix are only available server-side. Ensure you use the correct prefix to avoid exposing secrets to the browser. Also set environment-specific values for Production vs Preview.",[132,145,147],{"question":146},"Should I protect preview deployments?",[13,148,149],{},"Yes, if your previews contain sensitive data or functionality. Enable Vercel Authentication for your project, or use password protection. Preview URLs are semi-random but can be discovered or shared accidentally.",[151,152,153,159,164],"related-articles",{},[154,155],"related-card",{"description":156,"href":157,"title":158},"Complete guide to Vercel security","/blog/guides/vercel","Vercel Security Guide",[154,160],{"description":161,"href":162,"title":163},"Security headers setup guide","/blog/how-to/vercel-env-vars","How to Configure Vercel Headers",[154,165],{"description":166,"href":167,"title":168},"Secure your Next.js app","/blog/checklists/nextjs-security-checklist","Next.js Security Checklist",[170,171,174,178],"cta-box",{"href":172,"label":173},"/","Start Free Scan",[118,175,177],{"id":176},"check-your-vercel-deployment","Check Your Vercel Deployment",[13,179,180],{},"Our scanner reviews headers, exposed secrets, and common misconfigurations.",{"title":182,"searchDepth":183,"depth":183,"links":184},"",2,[185,186],{"id":120,"depth":183,"text":121},{"id":176,"depth":183,"text":177},"checklists","2026-02-05","2026-02-20","Security checklist for Vercel deployments. Check these 15 items to secure your Next.js, React, or other apps on Vercel.",false,"md",[194,196],{"question":134,"answer":195},"Add security headers in vercel.json using the headers property, or in next.config.js for Next.js apps. Include headers like X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, and Strict-Transport-Security.",{"question":140,"answer":197},"Yes, Vercel encrypts environment variables at rest. Variables without the NEXT_PUBLIC_ prefix are only available server-side. Ensure you use the correct prefix to avoid exposing secrets to the browser.","green",null,{},true,"Security checklist for Vercel. 15 items to check before production deployment.","/blog/checklists/vercel-security-checklist","[object Object]","HowTo",{"title":5,"description":190},{"loc":203},"blog/checklists/vercel-security-checklist",[210],"Security Checklist","summary_large_image","ZCjy2kR6X4KNBgVqru_EW7bKJuE23yODqz1Fw69YAs4",1775843930668]