Is Vercel Safe?
Vercel is a safe platform · SOC 2, ISO 27001, strong DDoS defaults. What breaks in practice is `NEXT_PUBLIC_` vars leaking secrets and route handlers without session checks. Fixable in a code review.
Known risks
- `NEXT_PUBLIC_` variable leaks · Anything prefixed `NEXT_PUBLIC_` ships to the browser. Easy to accidentally expose an intended-server key.
- Unprotected API routes · Next.js route handlers are public by default; auth must be explicitly added to each.
- Preview URL exposure · Preview deployments have unique URLs that can be shared or scraped. Password-protect previews for private projects.
How to make it safer
- Audit `NEXT_PUBLIC_` vars · Only truly public identifiers (Supabase anon key, Google Maps browser key) belong there.
- Wrap handlers with `withAuth` · A single middleware or helper that verifies the session should sit at the top of every non-public route handler.
- Enable preview protection · In Vercel project settings, require a password or SSO for preview deployments.
Frequently asked
Is Vercel safe for production apps?
Yes · it's the reference production host for Next.js apps. Config-level mistakes are the only real risk.
What's the biggest Vercel security mistake?
Putting a secret behind `NEXT_PUBLIC_` and shipping it to browsers.
Does Vercel protect previews?
Optional · enable password/SSO protection in project settings for private previews.
Scan your Vercel app →