Frontend cloud platform
Vercel deploys frontend apps and serverless functions. Security risks center around environment variable exposure, misconfigured serverless functions, and edge middleware bypasses in Next.js apps.
Variables prefixed with NEXT_PUBLIC_ are bundled into client JavaScript. Developers accidentally expose secrets this way.
Only prefix truly public values with NEXT_PUBLIC_. Keep secrets server-side only.
Next.js API routes deployed on Vercel often lack authentication checks.
Add auth middleware to all API routes. Verify JWT tokens server-side.
Edge middleware can be bypassed by calling serverless function URLs directly.
Always validate auth in the API route itself, not just in middleware.
Preview URLs are publicly accessible and may connect to production databases.
Use separate environment variables for preview deployments. Add password protection.
Default deployments lack CSP, HSTS, and other security headers.
Configure security headers in vercel.json or next.config.js.
Use Vercel's Environment Variable UI to separate production, preview, and development secrets.
Always validate authentication in the API route handler, not just in middleware.
Run Erzo's Header Checker on your Vercel deployment to verify security headers.