Skip to main content
Vercel Security Guide
Q&AVercel

Is Vercel secure by default?

Vercel provides a secure hosting infrastructure with automatic HTTPS, DDoS protection, and edge network security. However, Vercel does not add security headers like Content-Security-Policy, X-Frame-Options, or Permissions-Policy by default. Developers must configure these headers manually through vercel.json, next.config.js, or middleware. Environment variables prefixed with NEXT_PUBLIC_ are exposed to the browser, which is a common source of accidental secret leaks. UNPWNED tests your Vercel deployment for missing security headers and exposed secrets to ensure your application follows security best practices.

Check your Vercel app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Does Vercel add security headers automatically?What are the most common Vercel security mistakes?

More Vercel Security Questions

Does Vercel add security headers automatically?How do I add a Content Security Policy on Vercel?Are Vercel preview deployments secure?Are NEXT_PUBLIC_ environment variables a security risk?How secure are Vercel Serverless Functions?How do I secure my Vercel deployment?