Skip to main content
hosting

IS VERCEL SAFE?

Vercel makes deploying frontend applications effortless, but the default configuration leaves security gaps. Missing security headers, exposed environment variables, public preview deployments, and unprotected API routes are common issues that attackers actively exploit.

72%
No CSP header
74%
No rate limiting
47%
No DMARC
447+
Sites analyzed
Scan your Vercel app free

TOP SECURITY RISKS

high

Missing Security Headers

Without Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and other security headers, your application is vulnerable to cross-site scripting, clickjacking, MIME sniffing attacks, and other client-side exploits.

critical

Exposed Environment Variables via NEXT_PUBLIC Prefix

Any environment variable prefixed with NEXT_PUBLIC_ is bundled into client-side JavaScript and visible to anyone. Developers who accidentally prefix API secrets, database URLs, or service keys with NEXT_PUBLIC_ expose them to the entire internet.

medium

Source Maps Exposed in Production

Production source maps reveal your original source code, file structure, internal comments, and business logic. Attackers use source maps to find vulnerabilities, understand authentication flows, and identify hardcoded values.

high

API Routes Without Authentication

Next.js API routes deployed on Vercel are publicly accessible by default. Without authentication middleware, anyone can call your backend endpoints to read data, trigger actions, or abuse server resources.

medium

Preview Deployments Accessible Publicly

Every push to a branch creates a public preview URL. If your app contains staging data, admin interfaces, or unreleased features, anyone with the URL can access them. Preview URLs can be indexed by search engines if not protected.

SECURITY CHECKLIST

Add security headers via Next.js middleware or next.config.js including Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options
Audit all NEXT_PUBLIC_ environment variables and confirm none contain secrets, API keys, or database credentials
Disable source maps in production by setting productionBrowserSourceMaps to false in next.config.js
Add authentication checks to all API routes using session validation or JWT verification before processing requests
Protect preview deployments with Vercel Authentication or password protection to prevent unauthorized access
Configure CORS headers on API routes to restrict cross-origin requests to your own domains
Enable Vercel Firewall rules to block known malicious IPs and rate-limit suspicious traffic patterns
UNPWNED checks all of the above automatically with 700+ security tests.

SCAN YOUR VERCEL APP

700+ security checks. AI-powered fix prompts. Results in under 2 minutes. Free, no credit card required.

Run free security scan

FREQUENTLY ASKED QUESTIONS

Does Vercel add security headers automatically?

No. Vercel provides HTTPS by default but does not add Content-Security-Policy, X-Frame-Options, or other security headers. You must configure them yourself via next.config.js headers, middleware, or vercel.json.

Are NEXT_PUBLIC_ environment variables safe to use?

They are safe for truly public values like your site URL or analytics IDs. They are not safe for secrets because NEXT_PUBLIC_ variables are embedded in the client-side JavaScript bundle and visible to anyone who inspects your page source.

How do I protect my Vercel preview deployments?

Enable Vercel Authentication in your project settings to require login for preview URLs. For team projects, restrict access to team members only. You can also add password protection or disable preview deployments for sensitive branches.

Should I disable source maps in production?

Yes. Set productionBrowserSourceMaps to false in next.config.js. Source maps expose your original code structure and make it significantly easier for attackers to find vulnerabilities. Use server-side error tracking services for debugging production issues instead.

How do I secure Next.js API routes on Vercel?

Add authentication middleware that validates session tokens or JWTs before any API route processes a request. Use Next.js middleware for route-level protection, implement rate limiting, and validate all input parameters to prevent injection attacks.

Data based on 447+ website scans. Last updated: 2026-04-06. Statistics reflect aggregate findings across all scanned websites, not Vercel exclusively.

MORE PLATFORM GUIDES

LovableBolt.newCursorReplitv0.devWindsurfSupabaseFirebase