TL;DR
Vercel handles HTTPS automatically, but you need to configure security headers, protect environment variables, and secure serverless functions yourself. Use vercel.json for headers, dashboard for secrets, and middleware for auth. These prompts cover the essentials.
Security Headers in vercel.json
Configure security headers in my Vercel project.
Create or update vercel.json:
{ "headers": { "source": "/(.*)", "headers": [ { "key": "X-Frame-Options", "value": "DENY" }, { "key": "X-Content-Type-Options", "value": "nosniff" }, { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }, { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }, { "key": "X-DNS-Prefetch-Control", "value": "on" } ] } }
Note: HSTS is handled automatically by Vercel for custom domains. For CSP, use Next.js middleware or next.config.js for more control.
Environment Variables
Set up secure environment variables in Vercel.
Best practices:
- Use Vercel Dashboard for secrets (not vercel.json) Dashboard > Settings > Environment Variables
- Separate by environment:
- Production: Real API keys
- Preview: Test keys or mock endpoints
- Development: Local development keys
- Never expose server secrets to client: // Next.js: Only NEXT_PUBLIC_ vars go to browser NEXT_PUBLIC_API_URL=https://api.example.com // Exposed DATABASE_URL=postgresql://... // Server only
- Sensitive variables should be "Sensitive" type:
- Hidden after creation
- Not visible in logs
- Use for: API keys, database passwords
- Never commit .env files: // .gitignore .env .env.local .env.production
- Audit variable access: vercel env ls
Pull to local (for development): vercel env pull .env.local
Preview deployments are public: Anyone with the URL can access preview deploys. Don't put production data in preview environments. Use Vercel Password Protection or Vercel Authentication for sensitive previews.
Protect Preview Deployments
Protect my Vercel preview deployments from public access.
Options:
- Vercel Authentication (Pro/Enterprise):
Dashboard > Settings > Deployment Protection
- Enable "Vercel Authentication"
- Only team members can access previews
- Password Protection (Pro/Enterprise):
Dashboard > Settings > Deployment Protection
- Set a password for preview deployments
- Share password with testers
- Custom middleware (all plans):
// middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
export function middleware(request: NextRequest) { // Only protect preview deployments if (process.env.VERCEL_ENV === 'preview') { const authHeader = request.headers.get('authorization'); const expectedAuth =Basic ${Buffer.from(admin:${process.env.PREVIEW_PASSWORD}).toString('base64')};if (authHeader !== expectedAuth) { return new NextResponse('Authentication required', { status: 401, headers: { 'WWW-Authenticate': 'Basic realm="Preview"' }, }); }
} return NextResponse.next(); } - IP Allowlist (Enterprise): Restrict access to specific IP ranges
Serverless Function Security
Secure my Vercel serverless functions (API routes).
Key security measures:
- Rate limiting (use Vercel KV or external service):
import { Ratelimit } from '@upstash/ratelimit';
import { kv } from '@vercel/kv';
const ratelimit = new Ratelimit({ redis: kv, limiter: Ratelimit.slidingWindow(10, '10 s'), }); - Input validation: import { z } from 'zod'; const schema = z.object({ email: z.string().email() }); const result = schema.safeParse(req.body);
- Authentication middleware: // middleware.ts export function middleware(request: NextRequest) { if (request.nextUrl.pathname.startsWith('/api/admin')) { const token = request.headers.get('authorization'); if (!validateToken(token)) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }); } } }
- Set function timeouts: // vercel.json { "functions": { "api/heavy-task.ts": { "maxDuration": 30 } } }
- CORS configuration for external access only when needed.
Pro tip: Use Vercel's built-in analytics and logs to monitor for suspicious activity. Set up alerts for unusual traffic patterns or error spikes that might indicate attacks.
Is my source code exposed on Vercel?
Your source code isn't directly exposed, but source maps might be. Disable source maps in production or use Vercel's source protection. API route code is never sent to browsers.
How do I prevent abuse of my serverless functions?
Implement rate limiting (Upstash/Vercel KV), require authentication for sensitive endpoints, validate all inputs, and monitor your usage. Consider Vercel's DDoS protection on higher plans.