Step-by-Step Guide
6 steps

How to Deploy to Vercel Securely

Vercel handles infrastructure security well, but application-level security is your responsibility. This checklist covers every security configuration you should verify before deploying to production on Vercel.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Audit environment variables

Verify no secrets use NEXT_PUBLIC_ prefix and all production secrets are set.

Code Example
# Check for misuse of NEXT_PUBLIC_
grep -rn "NEXT_PUBLIC_.*SECRET\|NEXT_PUBLIC_.*PASSWORD\|NEXT_PUBLIC_.*KEY.*sk" . --include="*.ts" --include="*.env*"
2

Configure security headers

Add comprehensive security headers in next.config.js.

Code Example
module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Content-Type-Options', value: 'nosniff' },
        { key: 'X-Frame-Options', value: 'DENY' },
        { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
        { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' }
      ]
    }]
  }
}
3

Protect preview deployments

Enable Vercel deployment protection for preview and development environments.

4

Set up separate environment variables for preview

Use test API keys for preview deployments to prevent staging from affecting production.

In Vercel, each environment variable can be scoped to Production, Preview, or Development.

5

Enable Vercel Secure Compute (if available)

For sensitive workloads, consider Vercel Secure Compute for additional isolation.

6

Deploy and scan

Deploy to a preview URL first, scan with VAS, then promote to production.

What You'll Achieve

Your Vercel deployment has proper environment variable configuration, security headers, preview deployment protection, and has been scanned for vulnerabilities.

Common Mistakes to Avoid

Mistake

Deploying directly to production without testing

Fix

Always test security changes on a preview deployment first. Vercel creates preview URLs for every push.

Mistake

Not scoping environment variables by environment

Fix

Use different API keys for Preview and Production environments. Set scopes in the Vercel dashboard.

Frequently Asked Questions

Does Vercel provide DDoS protection?

Yes. Vercel provides automatic DDoS protection and Web Application Firewall (WAF) at the infrastructure level. Application-level rate limiting is still recommended for API routes.

Related Guides

Secure Your Vercel AppFix Vercel API Key ExposureAdd Security Headers in Next.jsSecurity Audit Checklist

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan