[{"data":1,"prerenderedAt":345},["ShallowReactive",2],{"blog-prompts/vercel-security-config":3},{"id":4,"title":5,"body":6,"category":324,"date":325,"dateModified":326,"description":327,"draft":328,"extension":329,"faq":330,"featured":328,"headerVariant":331,"image":330,"keywords":330,"meta":332,"navigation":333,"ogDescription":334,"ogTitle":330,"path":335,"readTime":330,"schemaOrg":336,"schemaType":337,"seo":338,"sitemap":339,"stem":340,"tags":341,"twitterCard":343,"__hash__":344},"blog/blog/prompts/vercel-security-config.md","Vercel Security Configuration with AI Prompts",{"type":7,"value":8,"toc":315},"minimark",[9,16,21,29,50,54,57,121,131,135,138,202,206,209,238,247,263,267,270,290,303],[10,11,12],"tldr",{},[13,14,15],"p",{},"Vercel handles HTTPS automatically, but you need to configure security headers, protect environment variables, and secure serverless functions yourself. Use vercel.json for headers, dashboard for secrets, and middleware for auth. These prompts cover the essentials.",[17,18,20],"h2",{"id":19},"security-headers-in-verceljson","Security Headers in vercel.json",[13,22,23,24,28],{},"Copy this prompt to generate a complete ",[25,26,27],"code",{},"vercel.json"," security headers configuration. Your AI will produce X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers applied to all routes.",[30,31,33,36,39,47],"prompt-box",{"title":32},"Add Security Headers",[13,34,35],{},"Configure security headers in my Vercel project.",[13,37,38],{},"Create or update vercel.json:",[13,40,41,42,46],{},"{\n\"headers\": ",[43,44,45],"span",{},"\n{\n\"source\": \"/(.*)\",\n\"headers\": [\n{\n\"key\": \"X-Frame-Options\",\n\"value\": \"DENY\"\n},\n{\n\"key\": \"X-Content-Type-Options\",\n\"value\": \"nosniff\"\n},\n{\n\"key\": \"Referrer-Policy\",\n\"value\": \"strict-origin-when-cross-origin\"\n},\n{\n\"key\": \"Permissions-Policy\",\n\"value\": \"camera=(), microphone=(), geolocation=()\"\n},\n{\n\"key\": \"X-DNS-Prefetch-Control\",\n\"value\": \"on\"\n}\n]\n}\n","\n}",[13,48,49],{},"Note: HSTS is handled automatically by Vercel for custom domains.\nFor CSP, use Next.js middleware or next.config.js for more control.",[17,51,53],{"id":52},"environment-variables","Environment Variables",[13,55,56],{},"Use this prompt to set up secure environment variable management in Vercel. Your AI will generate best practices for separating secrets by environment, preventing client-side exposure, and auditing variable access.",[30,58,60,63,66,118],{"title":59},"Secure Environment Variables",[13,61,62],{},"Set up secure environment variables in Vercel.",[13,64,65],{},"Best practices:",[67,68,69,73,88,98,112,115],"ol",{},[70,71,72],"li",{},"Use Vercel Dashboard for secrets (not vercel.json)\nDashboard > Settings > Environment Variables",[70,74,75,76],{},"Separate by environment:",[77,78,79,82,85],"ul",{},[70,80,81],{},"Production: Real API keys",[70,83,84],{},"Preview: Test keys or mock endpoints",[70,86,87],{},"Development: Local development keys",[70,89,90,91,97],{},"Never expose server secrets to client:\n// Next.js: Only NEXT_PUBLIC_ vars go to browser\nNEXT_PUBLIC_API_URL=",[92,93,94],"a",{"href":94,"rel":95},"https://api.example.com",[96],"nofollow","  // Exposed\nDATABASE_URL=postgresql://...                  // Server only",[70,99,100,101],{},"Sensitive variables should be \"Sensitive\" type:",[77,102,103,106,109],{},[70,104,105],{},"Hidden after creation",[70,107,108],{},"Not visible in logs",[70,110,111],{},"Use for: API keys, database passwords",[70,113,114],{},"Never commit .env files:\n// .gitignore\n.env\n.env.local\n.env.production",[70,116,117],{},"Audit variable access:\nvercel env ls",[13,119,120],{},"Pull to local (for development):\nvercel env pull .env.local",[122,123,124],"warning-box",{},[13,125,126,130],{},[127,128,129],"strong",{},"Preview deployments are public:"," Anyone with the URL can access preview deploys. Don't put production data in preview environments. Use Vercel Password Protection or Vercel Authentication for sensitive previews.",[17,132,134],{"id":133},"protect-preview-deployments","Protect Preview Deployments",[13,136,137],{},"This prompt asks your AI to lock down your Vercel preview deployments from public access. You'll get options ranging from built-in Vercel Authentication to a custom Basic Auth middleware you can use on any plan.",[30,139,141,144,147],{"title":140},"Secure Preview Deploys",[13,142,143],{},"Protect my Vercel preview deployments from public access.",[13,145,146],{},"Options:",[67,148,149,160,171,199],{},[70,150,151,152],{},"Vercel Authentication (Pro/Enterprise):\nDashboard > Settings > Deployment Protection",[77,153,154,157],{},[70,155,156],{},"Enable \"Vercel Authentication\"",[70,158,159],{},"Only team members can access previews",[70,161,162,163],{},"Password Protection (Pro/Enterprise):\nDashboard > Settings > Deployment Protection",[77,164,165,168],{},[70,166,167],{},"Set a password for preview deployments",[70,169,170],{},"Share password with testers",[70,172,173,174,177,178,181,182,185,186,196,198],{},"Custom middleware (all plans):\n// middleware.ts\nimport { NextResponse } from 'next/server';\nimport type { NextRequest } from 'next/server';",[175,176],"br",{},"export function middleware(request: NextRequest) {\n// Only protect preview deployments\nif (process.env.VERCEL_ENV === 'preview') {\nconst authHeader = request.headers.get('authorization');\nconst expectedAuth = ",[25,179,180],{},"Basic ${Buffer.from(","admin:${process.env.PREVIEW_PASSWORD}",[25,183,184],{},").toString('base64')}",";",[187,188,193],"pre",{"className":189,"code":191,"language":192},[190],"language-text","if (authHeader !== expectedAuth) {\n  return new NextResponse('Authentication required', {\n    status: 401,\n    headers: { 'WWW-Authenticate': 'Basic realm=\"Preview\"' },\n  });\n}\n","text",[25,194,191],{"__ignoreMap":195},"",[175,197],{},"}\nreturn NextResponse.next();\n}",[70,200,201],{},"IP Allowlist (Enterprise):\nRestrict access to specific IP ranges",[17,203,205],{"id":204},"serverless-function-security","Serverless Function Security",[13,207,208],{},"Copy this prompt to secure your Vercel serverless functions and API routes. Your AI will generate rate limiting with Upstash, Zod input validation, authentication middleware, and timeout configuration.",[30,210,212,215,218],{"title":211},"Secure Serverless Functions",[13,213,214],{},"Secure my Vercel serverless functions (API routes).",[13,216,217],{},"Key security measures:",[67,219,220,226,229,232,235],{},[70,221,222,223,225],{},"Rate limiting (use Vercel KV or external service):\nimport { Ratelimit } from '@upstash/ratelimit';\nimport { kv } from '@vercel/kv';",[175,224],{},"const ratelimit = new Ratelimit({\nredis: kv,\nlimiter: Ratelimit.slidingWindow(10, '10 s'),\n});",[70,227,228],{},"Input validation:\nimport { z } from 'zod';\nconst schema = z.object({ email: z.string().email() });\nconst result = schema.safeParse(req.body);",[70,230,231],{},"Authentication middleware:\n// middleware.ts\nexport function middleware(request: NextRequest) {\nif (request.nextUrl.pathname.startsWith('/api/admin')) {\nconst token = request.headers.get('authorization');\nif (!validateToken(token)) {\nreturn NextResponse.json({ error: 'Unauthorized' }, { status: 401 });\n}\n}\n}",[70,233,234],{},"Set function timeouts:\n// vercel.json\n{\n\"functions\": {\n\"api/heavy-task.ts\": { \"maxDuration\": 30 }\n}\n}",[70,236,237],{},"CORS configuration for external access only when needed.",[239,240,241],"tip-box",{},[13,242,243,246],{},[127,244,245],{},"Pro tip:"," Use Vercel's built-in analytics and logs to monitor for suspicious activity. Set up alerts for unusual traffic patterns or error spikes that might indicate attacks.",[248,249,250,257],"faq-section",{},[251,252,254],"faq-item",{"question":253},"Is my source code exposed on Vercel?",[13,255,256],{},"Your source code isn't directly exposed, but source maps might be. Disable source maps in production or use Vercel's source protection. API route code is never sent to browsers.",[251,258,260],{"question":259},"How do I prevent abuse of my serverless functions?",[13,261,262],{},"Implement rate limiting (Upstash/Vercel KV), require authentication for sensitive endpoints, validate all inputs, and monitor your usage. Consider Vercel's DDoS protection on higher plans.",[17,264,266],{"id":265},"further-reading","Further Reading",[13,268,269],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[77,271,272,278,284],{},[70,273,274],{},[92,275,277],{"href":276},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[70,279,280],{},[92,281,283],{"href":282},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[70,285,286],{},[92,287,289],{"href":288},"/blog/best-practices/secrets","Secret management best practices",[291,292,293,298],"related-articles",{},[294,295],"related-card",{"description":296,"href":297,"title":32},"Header configuration","/blog/prompts/add-security-headers",[294,299],{"description":300,"href":301,"title":302},"Dev vs production","/blog/prompts/environment-separation","Environment Separation",[304,305,308,312],"cta-box",{"href":306,"label":307},"/","Start Free Scan",[17,309,311],{"id":310},"audit-your-vercel-config","Audit Your Vercel Config",[13,313,314],{},"Scan your Vercel deployment for security misconfigurations.",{"title":195,"searchDepth":316,"depth":316,"links":317},2,[318,319,320,321,322,323],{"id":19,"depth":316,"text":20},{"id":52,"depth":316,"text":53},{"id":133,"depth":316,"text":134},{"id":204,"depth":316,"text":205},{"id":265,"depth":316,"text":266},{"id":310,"depth":316,"text":311},"prompts","2026-02-27","2026-03-06","AI prompts to configure Vercel security settings. Set up security headers, environment variables, and edge functions securely on Vercel.",false,"md",null,"cyan",{},true,"AI prompts to secure your Vercel deployment.","/blog/prompts/vercel-security-config","[object Object]","BlogPosting",{"title":5,"description":327},{"loc":335},"blog/prompts/vercel-security-config",[342],"Deployment","summary_large_image","DQq0_-onLTkSPF1cP1-Z2NCRYASwTEB3-21TWa9WrJ0",1775843937990]