Vercel Security Checklist
Last updated: January 12, 2026
Use this checklist to ensure your Vercel application is secure before launch. 3 critical items require immediate attention.
Why This Security Checklist Matters
Security checklists serve as systematic guides for identifying vulnerabilities that might otherwise be overlooked during rapid development cycles. For Vercel applications specifically, this checklist addresses the most common security gaps that emerge when using AI-assisted development workflows.
Research from multiple security organizations indicates that approximately 80% of AI-built applications contain at least one exploitable vulnerability at launch. The vulnerabilities are often predictable—they follow patterns that this checklist is designed to catch. By systematically reviewing each item, you significantly reduce the risk of launching an insecure application.
Unlike generic security checklists, this guide focuses specifically on vulnerabilities prevalent in Vercel applications. Each item has been prioritized based on real-world attack patterns and the potential impact of exploitation. Critical items should be addressed before any production deployment.
Critical Priority
Critical items can lead to complete application compromise, data breaches, or unauthorized access to all user accounts. These must be addressed before deploying to production. Attackers actively scan for these vulnerabilities.
High Priority
High priority items represent significant security risks that could allow unauthorized access to sensitive data or functionality. While not immediately catastrophic, these vulnerabilities should be fixed as soon as possible.
Medium/Low Priority
Medium and low priority items strengthen your overall security posture. While they may not be immediately exploitable, addressing them prevents attack chains and defense-in-depth gaps.
Manual vs Automated Security Checking
While manual security reviews are thorough, they're time-consuming and prone to human error. Automated scanning catches common vulnerabilities instantly, freeing you to focus on business logic and complex security decisions.
Items VAS Automates
- Exposed API keys and secrets in JavaScript bundles
- HTTP security header configuration
- Supabase RLS policy testing
- Firebase Security Rules validation
- Cookie security attributes
Manual Review Still Required
- Business logic vulnerabilities
- Custom authentication implementations
- Access control logic in API routes
- Data validation requirements
- Third-party integration security
Environment Variables
Scope secrets to correct environment
Ensure production secrets aren't exposed in Preview or Development environments
Use NEXT_PUBLIC_ prefix intentionally
AutoOnly expose variables that should be client-side - this prefix makes them public
Rotate secrets after accidental exposure
If a secret was in wrong scope or committed to git, rotate it immediately
Audit environment variable access
Review which team members can view production secrets in Vercel dashboard
Use separate secrets per environment
Don't reuse the same API keys across development, preview, and production
Security Headers
Configure Content-Security-Policy
AutoAdd CSP in vercel.json or next.config.js headers() to prevent XSS attacks
Enable Strict-Transport-Security
AutoForce HTTPS connections with HSTS header (max-age=31536000)
Set X-Frame-Options
AutoPrevent clickjacking attacks with DENY or SAMEORIGIN value
Add X-Content-Type-Options
AutoPrevent MIME sniffing with nosniff value
Configure Referrer-Policy
AutoControl referrer information sent with requests
Preview Deployment Security
Password protect preview deployments
Enable Vercel Authentication to require login for preview URLs
Don't connect previews to production database
Use separate database instances or schemas for preview environments
Limit preview deployment access
Configure which team members can view preview deployments
Review preview deployment URLs
Ensure preview URLs aren't being shared or indexed by search engines
Serverless Functions
Validate all input in API routes
Never trust client input - validate types, lengths, and formats server-side
Add rate limiting to API endpoints
AutoProtect against abuse with Vercel's rate limiting or custom middleware
Set appropriate function timeout
Prevent timeout-based DoS by setting reasonable limits (default 10s)
Handle errors without leaking information
Return generic error messages to clients, log details server-side only
Implement proper CORS configuration
AutoDon't use Access-Control-Allow-Origin: * in production APIs
Don't Check Manually
VAS automatically checks 8 of these 19 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanFrequently Asked Questions
What's the difference between environment variable scopes?
Vercel has three scopes: Production, Preview, and Development. Secrets scoped to Production aren't exposed in preview deploys. Use NEXT_PUBLIC_ prefix only for values that should be client-side. Scope sensitive secrets to Production only.
How do I add security headers on Vercel?
Add headers in next.config.js using the headers() function, or in vercel.json. Neither platform adds security headers by default - you must configure CSP, HSTS, X-Frame-Options, etc. manually. VAS checks for these headers.