Vercel Security Issues Every Developer Should Check in 2026

1. NEXT_PUBLIC_ Prefix Leaks

Next.js on Vercel uses a convention: environment variables prefixed with NEXT_PUBLIC_ get bundled into the client-side JavaScript so they're accessible in the browser. Everything else stays server-side only.

The failure mode: developers paste a secret into Vercel's env var UI, accidentally name it with the NEXT_PUBLIC_ prefix, and ship. Once deployed, the secret is in every user's browser. Removing it from the Vercel dashboard afterward doesn't help because the bundle is still cached and distributed.

How to audit

1. List every NEXT_PUBLIC_* var in your Vercel dashboard.
2. For each one, ask: "Should every visitor be able to see this?" If the answer is no, the prefix is wrong.
3. Any secret that ever had this prefix must be rotated. The bundle is out there.
4. Use Route Handlers (app/api/*) or Server Actions for anything that touches a secret.

2. Preview Deployments Without Access Control

Vercel generates a preview deployment for every git branch and pull request. By default, these URLs (yourapp-git-feature-branch-yourteam.vercel.app) are publicly accessible. They often contain unreleased features, partially-implemented admin panels, staging data, or debug output.

Preview URLs get into Google's index surprisingly often through tweets, Slack messages, Linear comments, or deployment notification webhooks that get crawled. Once indexed, your half-built feature is public.

How to fix it

1. Enable Vercel Authentication for preview deployments (Settings, Deployment Protection).
2. Or set up Shareable Links so only people with the link can access previews.
3. Add X-Robots-Tag: noindex for preview environments to stop indexing.

3. Environment Variable Scope Mix-ups

Vercel lets you scope each env var to Production, Preview, Development, or any combination. The convenient move is to enable all three so "things just work." The risk: your production STRIPE_SECRET_KEY is now loaded in every preview deployment built from every branch, including ones from contractors or forks.

Preview deployments are less audited than production. A PR that adds console.log(process.env.STRIPE_SECRET_KEY) might slip through code review if the reviewer assumes that variable won't be defined in previews. On Vercel, it is, if you scoped it everywhere.

How to audit

1. Go to Project, then Settings, then Environment Variables.
2. For each production secret, verify it's NOT enabled for Preview or Development.
3. Use separate test-mode keys (Stripe test keys, sandbox tokens) for Preview.

4. Serverless Function Log Leakage

Vercel's Functions tab shows logs for every invocation: request headers, query params, console output, and errors. Anyone with project access to Vercel can read these logs. If your functions log sensitive data (intentionally via console.log(user) or accidentally via uncaught errors that include session tokens), it ends up in the log retention window.

How to fix

1. Audit every console.log in Route Handlers for what it outputs.
2. Use a logger that redacts sensitive fields by default (pino with redact, winston with a custom formatter).
3. Catch errors explicitly. Don't let unhandled errors dump stack traces that may contain tokens.
4. Restrict Vercel project access to people who actually need it.

5. Missing or Loose Security Headers

Vercel sets a few security headers by default (HSTS on production domains, X-Content-Type-Options for static files) but not everything you need. Content-Security-Policy, X-Frame-Options, Permissions-Policy, and Referrer-Policy all have to be configured manually, usually in next.config.js or vercel.json.

The most common failure isn't "no CSP," it's "CSP with unsafe-inline." A CSP that includes 'unsafe-inline' in script-src provides essentially no XSS protection. Many Next.js apps land there because getting a strict CSP working with Next's inline scripts takes deliberate nonce setup.

For CSP, use nonce-based configuration (Next.js docs) rather than unsafe-inline. Or test your existing CSP to see if it's actually protecting you.

6. CORS Misconfiguration in API Routes

Vercel Route Handlers and API routes need explicit CORS handling for cross-origin requests. The easy (and wrong) fix when developers hit a CORS error: set Access-Control-Allow-Origin: * to make the error go away. This often ships to production.

Worse patterns: reflecting the incoming Origin header back in the response, or accepting Origin: null. Both effectively disable the same-origin policy for your API.

How to check

Test your API with an attacker-like origin to see if it gets reflected. Or manually inspect your Route Handler headers. If you see Origin reflection with credentials, fix it immediately.

7. Build-Time Secret Leakage in Logs

Vercel's deployment logs are visible to every team member. If your build process console.logs environment variables (even for debugging), they get captured in the build output and retained. A common offender is CI scripts or custom build commands that echo environment state on failure.

Another pattern: using an env var in a shell command via $VAR interpolation in package.json scripts. Vercel's build logs show the fully-expanded command line, meaning the secret value appears literally in the log.

How to fix

1. Review build logs for any env var values visible in plaintext.
2. Remove any echo $SECRET or equivalent from build scripts.
3. If a secret was ever in the logs, rotate it. Logs are retained and may have been viewed.

Related Resources