Vercel

Vercel Security Best Practices

Secure your Vercel deployments with these essential practices. From environment variables to preview protection.

Get Starter Scan

Verify your app follows these best practices automatically.

Vercel handles much of the infrastructure security, but application security is your responsibility. These practices help you deploy securely on Vercel.

Quick Wins

Verify no secrets in git history
Enable preview deployment protection
Add security headers in next.config.js
Check that NEXT_PUBLIC_ variables don't contain secrets
Test API routes without authentication

Security Best Practices

#1Use Environment Variables for Secrets

critical

Never commit secrets to your repository. Use Vercel's environment variable management.

Implementation

Add secrets in Vercel Dashboard → Settings → Environment Variables

#2Separate Environment Variables by Environment

critical

Use different secrets for Development, Preview, and Production environments.

Implementation

In Vercel Dashboard, set environment-specific values for each variable

#3Protect Preview Deployments

high

Preview deployments are public by default. Protect them to prevent leaking unreleased features.

Implementation

Enable Deployment Protection in Project Settings → Deployment Protection

#4Configure Security Headers

high

Add CSP, HSTS, and other security headers via vercel.json or Next.js config.

Implementation

Add headers configuration in next.config.js or vercel.json

#5Secure API Routes and Server Actions

high

Validate authentication and authorization in every API route and Server Action.

Implementation

Check session/token validity and user permissions at the start of each route

#6Enable Vercel Firewall

medium

Use Vercel Firewall to block malicious traffic and rate limit requests.

Implementation

Configure rules in Vercel Dashboard → Firewall

Common Mistakes to Avoid

Secrets in NEXT_PUBLIC_ variables

Why it's dangerous:

NEXT_PUBLIC_ variables are exposed to the browser

How to fix:

Server-only secrets should never have the NEXT_PUBLIC_ prefix

Unprotected preview deployments

Why it's dangerous:

Anyone with the URL can see unreleased features and test with staging data

How to fix:

Enable Deployment Protection for preview environments

Same secrets in all environments

Why it's dangerous:

Production keys used in development increase risk of exposure

How to fix:

Use different API keys and secrets for each environment

Verify Your Vercel App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

Are my environment variables secure on Vercel?

Yes, Vercel encrypts environment variables at rest and in transit. They're only exposed to your build and runtime processes. Just ensure you don't use NEXT_PUBLIC_ for secrets.

How do I add security headers?

Add a headers config to next.config.js or vercel.json. Include Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security.

Should I enable Vercel Analytics for security monitoring?

Vercel Analytics focuses on performance, not security. For security monitoring, use Vercel Firewall and integrate with a security monitoring service.

Related Vercel Security Resources

Vercel Security OverviewVercel Security IssuesVercel Security RisksIs Vercel Safe?

Last updated: January 2026