TL;DR
Vercel is a secure deployment platform with strong defaults. It provides automatic HTTPS, environment variable encryption, and isolated serverless functions. Main security concerns are preview URL exposure and ensuring secrets don't leak to client-side code. The platform itself is highly secure; most issues come from misconfigured applications.
What is Vercel?
Vercel is a cloud platform for deploying web applications, particularly popular with Next.js, React, and other frontend frameworks. It offers automatic deployments from Git, serverless functions, edge computing, and a global CDN. Created by the team behind Next.js.
Our Verdict
What's Good
- Automatic HTTPS everywhere
- Encrypted environment variables
- Isolated serverless functions
- SOC 2 Type II certified
- DDoS protection included
What to Watch
- Preview URLs can leak
- Client-side env var exposure
- Build logs may contain secrets
- Public by default
Environment Variables
Critical: Environment variables prefixed with NEXT_PUBLIC_ are exposed to the browser. Never put secrets in NEXT_PUBLIC_ variables.
Variable Types
| Type | Accessible From | Use For |
|---|---|---|
| Regular env vars | Server only | API keys, secrets |
| NEXT_PUBLIC_* | Server + Browser | Public IDs, analytics |
| Vercel System | Server only | Deployment info |
Preview Deployments
Every PR gets a unique preview URL. This is powerful but has security implications:
Preview URL Risk: Preview deployments are publicly accessible by default. Anyone with the URL can access your staging environment.
Preview Security Options
- Vercel Authentication: Require login for preview URLs (Pro/Enterprise)
- Password Protection: Add password to preview deployments
- Deployment Protection: Restrict to team members only
- Separate env vars: Use different secrets for preview vs production
Serverless Function Security
Isolated Execution: Each serverless function runs in its own isolated environment. One function cannot access another's memory or file system.
Function Best Practices
- Validate all inputs (never trust client data)
- Use environment variables for secrets
- Set appropriate function timeouts
- Implement rate limiting for public APIs
Security Features
| Feature | Status | Notes |
|---|---|---|
| HTTPS | Automatic | All deployments |
| DDoS Protection | Included | All plans |
| WAF | Enterprise | Web Application Firewall |
| SSO | Pro/Enterprise | Team authentication |
| Audit Logs | Enterprise | Activity tracking |
Is Vercel safe for production?
Yes, Vercel is used by major companies for production workloads. It's SOC 2 certified with automatic HTTPS, encrypted secrets, and isolated execution. Follow their security best practices for environment variables and preview deployments.
Can preview URLs leak my app?
Preview URLs are publicly accessible by default. Enable Vercel Authentication or Password Protection for sensitive projects. Use different environment variables for preview vs production.
Are my API keys safe on Vercel?
Yes, if stored correctly. Use environment variables (not NEXT_PUBLIC_), they're encrypted at rest. Never commit secrets to your repository or expose them in client-side code.