Vercel
Security Guide

How to Secure Your Vercel App

Last updated: January 12, 2026

Vercel handles infrastructure security, but application configuration is your responsibility. This guide covers securing your Vercel deployments and Next.js applications.

Get Starter ScanVercel Security Overview

Step-by-Step Security Guide

1. Configure Environment Variables Properly

Add secrets in Vercel Dashboard, not in code. Scope variables to the correct environment (Production, Preview, Development).

2. Understand NEXT_PUBLIC_ Prefix

Variables with NEXT_PUBLIC_ are exposed to the browser. Never use this prefix for secrets.

# Server-only (safe)
DATABASE_URL=...

# Exposed to browser (public only)
NEXT_PUBLIC_API_URL=...

3. Add Security Headers

Configure CSP, HSTS, and other security headers in next.config.js or vercel.json.

// next.config.js
headers: async () => [
  {
    source: '/(.*)',
    headers: [
      { key: 'X-Frame-Options', value: 'DENY' },
      { key: 'X-Content-Type-Options', value: 'nosniff' },
    ],
  },
]

4. Protect Preview Deployments

Enable Deployment Protection to prevent unauthorized access to preview URLs.

5. Secure API Routes

Validate authentication and authorization in every API route and Server Action.

6. Run Security Scan

Use VAS to verify your deployment is secure before going live.

Common Security Mistakes

Avoid these common Vercel security pitfalls:

Putting secrets in NEXT_PUBLIC_ variables
Using same secrets across all environments
Leaving preview deployments unprotected
Missing security headers
Not validating auth in API routes

Recommended Security Tools

Use these tools to maintain security throughout development:

VAS Security Scanner
npm audit / yarn audit
Git-secrets
Snyk

Ready to Secure Your App?

Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Vercel app is secure before launch, and consider regular scans as you add new features.

Start Security Scan

Frequently Asked Questions

Are Vercel environment variables secure?

Yes, Vercel encrypts environment variables at rest and in transit. They're only exposed to your build and runtime. Just don't use NEXT_PUBLIC_ prefix for secrets.

How do I protect preview deployments?

Enable Deployment Protection in Project Settings. You can require Vercel authentication, password, or trusted IPs. This prevents unreleased features from being publicly accessible.

Related Security Resources

Vercel SecurityIs Vercel Safe?Vercel Security Checklist

Similar Platforms

How to Secure NetlifyHow to Secure RailwayHow to Secure Render