Skip to main content
Vercel Security Guide
Q&AVercel

Does Vercel add security headers automatically?

Vercel adds Strict-Transport-Security (HSTS) and X-Content-Type-Options headers automatically, but does not add Content-Security-Policy, Permissions-Policy, X-Frame-Options, or Referrer-Policy by default. These headers must be configured by the developer using middleware, next.config.js headers configuration, or a vercel.json headers section. The Next.js framework itself adds X-Content-Type-Options: nosniff by default through its own configuration. Missing security headers is one of the most common findings on Vercel-hosted applications. UNPWNED checks all critical security headers on your deployment and reports which ones are missing with exact configuration snippets to fix them.

Check your Vercel app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Is Vercel secure by default?How do I add a Content Security Policy on Vercel?

More Vercel Security Questions

Is Vercel secure by default?How do I add a Content Security Policy on Vercel?Are Vercel preview deployments secure?Are NEXT_PUBLIC_ environment variables a security risk?How secure are Vercel Serverless Functions?How do I secure my Vercel deployment?