How secure are Vercel Serverless Functions?

Vercel Serverless Functions run in isolated AWS Lambda environments and have access to server-side environment variables that are not exposed to the client. However, functions are publicly accessible by default at their API route paths and do not include built-in authentication or rate limiting. Developers must implement their own authentication checks, input validation, and abuse prevention within each function. Functions that access databases or external APIs should validate all user input to prevent injection attacks. UNPWNED tests your serverless function endpoints for common vulnerabilities including missing authentication, input validation bypasses, and information disclosure.