[{"data":1,"prerenderedAt":414},["ShallowReactive",2],{"blog-is-safe/vercel":3},{"id":4,"title":5,"body":6,"category":394,"date":395,"dateModified":395,"description":396,"draft":397,"extension":398,"faq":399,"featured":397,"headerVariant":400,"image":399,"keywords":399,"meta":401,"navigation":402,"ogDescription":403,"ogTitle":399,"path":404,"readTime":405,"schemaOrg":406,"schemaType":407,"seo":408,"sitemap":409,"stem":410,"tags":411,"twitterCard":412,"__hash__":413},"blog/blog/is-safe/vercel.md","Is Vercel Safe? Security Analysis",{"type":7,"value":8,"toc":375},"minimark",[9,16,21,24,28,73,77,87,92,147,151,154,163,167,193,197,206,210,224,228,299,321,325,328,349,363],[10,11,12],"tldr",{},[13,14,15],"p",{},"Vercel is a secure deployment platform with strong defaults. It provides automatic HTTPS, environment variable encryption, and isolated serverless functions. Main security concerns are preview URL exposure and ensuring secrets don't leak to client-side code. The platform itself is highly secure; most issues come from misconfigured applications.",[17,18,20],"h2",{"id":19},"what-is-vercel","What is Vercel?",[13,22,23],{},"Vercel is a cloud platform for deploying web applications, particularly popular with Next.js, React, and other frontend frameworks. It offers automatic deployments from Git, serverless functions, edge computing, and a global CDN. Created by the team behind Next.js.",[17,25,27],{"id":26},"our-verdict","Our Verdict",[29,30,31,36,55,59],"pros-cons",{},[32,33,35],"h4",{"id":34},"whats-good","What's Good",[37,38,39,43,46,49,52],"ul",{},[40,41,42],"li",{},"Automatic HTTPS everywhere",[40,44,45],{},"Encrypted environment variables",[40,47,48],{},"Isolated serverless functions",[40,50,51],{},"SOC 2 Type II certified",[40,53,54],{},"DDoS protection included",[32,56,58],{"id":57},"what-to-watch","What to Watch",[37,60,61,64,67,70],{},[40,62,63],{},"Preview URLs can leak",[40,65,66],{},"Client-side env var exposure",[40,68,69],{},"Build logs may contain secrets",[40,71,72],{},"Public by default",[17,74,76],{"id":75},"environment-variables","Environment Variables",[78,79,80],"danger-box",{},[13,81,82,86],{},[83,84,85],"strong",{},"Critical:"," Environment variables prefixed with NEXT_PUBLIC_ are exposed to the browser. Never put secrets in NEXT_PUBLIC_ variables.",[88,89,91],"h3",{"id":90},"variable-types","Variable Types",[93,94,95,111],"table",{},[96,97,98],"thead",{},[99,100,101,105,108],"tr",{},[102,103,104],"th",{},"Type",[102,106,107],{},"Accessible From",[102,109,110],{},"Use For",[112,113,114,126,137],"tbody",{},[99,115,116,120,123],{},[117,118,119],"td",{},"Regular env vars",[117,121,122],{},"Server only",[117,124,125],{},"API keys, secrets",[99,127,128,131,134],{},[117,129,130],{},"NEXT_PUBLIC_*",[117,132,133],{},"Server + Browser",[117,135,136],{},"Public IDs, analytics",[99,138,139,142,144],{},[117,140,141],{},"Vercel System",[117,143,122],{},[117,145,146],{},"Deployment info",[17,148,150],{"id":149},"preview-deployments","Preview Deployments",[13,152,153],{},"Every PR gets a unique preview URL. This is powerful but has security implications:",[155,156,157],"info-box",{},[13,158,159,162],{},[83,160,161],{},"Preview URL Risk:"," Preview deployments are publicly accessible by default. Anyone with the URL can access your staging environment.",[88,164,166],{"id":165},"preview-security-options","Preview Security Options",[37,168,169,175,181,187],{},[40,170,171,174],{},[83,172,173],{},"Vercel Authentication:"," Require login for preview URLs (Pro/Enterprise)",[40,176,177,180],{},[83,178,179],{},"Password Protection:"," Add password to preview deployments",[40,182,183,186],{},[83,184,185],{},"Deployment Protection:"," Restrict to team members only",[40,188,189,192],{},[83,190,191],{},"Separate env vars:"," Use different secrets for preview vs production",[17,194,196],{"id":195},"serverless-function-security","Serverless Function Security",[198,199,200],"success-box",{},[13,201,202,205],{},[83,203,204],{},"Isolated Execution:"," Each serverless function runs in its own isolated environment. One function cannot access another's memory or file system.",[88,207,209],{"id":208},"function-best-practices","Function Best Practices",[37,211,212,215,218,221],{},[40,213,214],{},"Validate all inputs (never trust client data)",[40,216,217],{},"Use environment variables for secrets",[40,219,220],{},"Set appropriate function timeouts",[40,222,223],{},"Implement rate limiting for public APIs",[17,225,227],{"id":226},"security-features","Security Features",[93,229,230,243],{},[96,231,232],{},[99,233,234,237,240],{},[102,235,236],{},"Feature",[102,238,239],{},"Status",[102,241,242],{},"Notes",[112,244,245,256,267,278,289],{},[99,246,247,250,253],{},[117,248,249],{},"HTTPS",[117,251,252],{},"Automatic",[117,254,255],{},"All deployments",[99,257,258,261,264],{},[117,259,260],{},"DDoS Protection",[117,262,263],{},"Included",[117,265,266],{},"All plans",[99,268,269,272,275],{},[117,270,271],{},"WAF",[117,273,274],{},"Enterprise",[117,276,277],{},"Web Application Firewall",[99,279,280,283,286],{},[117,281,282],{},"SSO",[117,284,285],{},"Pro/Enterprise",[117,287,288],{},"Team authentication",[99,290,291,294,296],{},[117,292,293],{},"Audit Logs",[117,295,274],{},[117,297,298],{},"Activity tracking",[300,301,302,309,315],"faq-section",{},[303,304,306],"faq-item",{"question":305},"Is Vercel safe for production?",[13,307,308],{},"Yes, Vercel is used by major companies for production workloads. It's SOC 2 certified with automatic HTTPS, encrypted secrets, and isolated execution. Follow their security best practices for environment variables and preview deployments.",[303,310,312],{"question":311},"Can preview URLs leak my app?",[13,313,314],{},"Preview URLs are publicly accessible by default. Enable Vercel Authentication or Password Protection for sensitive projects. Use different environment variables for preview vs production.",[303,316,318],{"question":317},"Are my API keys safe on Vercel?",[13,319,320],{},"Yes, if stored correctly. Use environment variables (not NEXT_PUBLIC_), they're encrypted at rest. Never commit secrets to your repository or expose them in client-side code.",[17,322,324],{"id":323},"further-reading","Further Reading",[13,326,327],{},"Ready to secure your setup? Check out our hands-on guides.",[37,329,330,337,343],{},[40,331,332],{},[333,334,336],"a",{"href":335},"/blog/checklists/pre-deployment-security-checklist","Pre-deployment security checklist",[40,338,339],{},[333,340,342],{"href":341},"/blog/getting-started/first-scan","Run your first security scan",[40,344,345],{},[333,346,348],{"href":347},"/blog/best-practices/environment-variables","Environment variable best practices",[350,351,352,358],"related-articles",{},[353,354],"related-card",{"description":355,"href":356,"title":357},"Compare deployment platforms","/blog/is-safe/netlify","Is Netlify Safe?",[353,359],{"description":360,"href":361,"title":362},"Edge deployment option","/blog/is-safe/cloudflare","Is Cloudflare Safe?",[364,365,368,372],"cta-box",{"href":366,"label":367},"/","Start Free Scan",[17,369,371],{"id":370},"deploying-to-vercel","Deploying to Vercel?",[13,373,374],{},"Scan your project for exposed secrets and security issues.",{"title":376,"searchDepth":377,"depth":377,"links":378},"",2,[379,380,381,385,388,391,392,393],{"id":19,"depth":377,"text":20},{"id":26,"depth":377,"text":27},{"id":75,"depth":377,"text":76,"children":382},[383],{"id":90,"depth":384,"text":91},3,{"id":149,"depth":377,"text":150,"children":386},[387],{"id":165,"depth":384,"text":166},{"id":195,"depth":377,"text":196,"children":389},[390],{"id":208,"depth":384,"text":209},{"id":226,"depth":377,"text":227},{"id":323,"depth":377,"text":324},{"id":370,"depth":377,"text":371},"is-safe","2026-02-20","Is Vercel safe for production? Security analysis covering deployment security, environment variables, edge functions, and preview deployments.",false,"md",null,"amber",{},true,"Security analysis of Vercel deployment platform covering environment variables, preview URLs, and edge security.","/blog/is-safe/vercel","5 min read","[object Object]","Article",{"title":5,"description":396},{"loc":404},"blog/is-safe/vercel",[],"summary_large_image","bWJ47hfPzwo8hHE8j1hyCDSYa76EmOnVzlvbyGSa9ys",1775843918547]