Vercel Security Checklist · Before You Ship
Vercel gives you a fast production host. It doesn't automatically make your app secure. Before you flip a project to production, walk through this checklist · env-var scoping, preview protection, headers, function auth, and log redaction. Most Vercel-hosted incidents come from these five categories, not from the platform.
Common misconfigurations
- Secrets in `NEXT_PUBLIC_` vars · The prefix ships them to browsers. Only truly-public identifiers belong there.
- Preview deployments unprotected · Enable Password Protection or Vercel Authentication in project settings for anything pre-production.
- No security headers · Add via `vercel.json` or `next.config.js` (see the Next.js headers guide).
- Unauthenticated route handlers · Every `app/api/*` handler needs an explicit auth check · Next.js doesn't add one.
- Logs leaking user data · `console.log(user)` in a route handler shows up in Vercel logs and third-party log drains. Redact.
Frequently asked
Is Vercel HIPAA-compliant?
Enterprise plans support HIPAA BAAs. Hobby and Pro do not.
How do I protect preview deployments?
Project Settings > Deployment Protection · pick Password or Vercel Authentication.
Does Vercel scan my code?
No. Vercel focuses on infra; app-level security is your job. Tools like SimplyScan check the deployed URL.
Scan for this issue →