v0 + Vercel pre-launch security checklist
v0 + Vercel is the shortest path from idea to production for many vibe coders. The downside: most of v0’s output skips backend security entirely. This checklist focuses on the gaps Vercel does not auto-fix.
11 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
Secrets in Vercel env vars (not NEXT_PUBLIC_, not in code)
CriticalDetector: js-secrets
.env not committed and not exposed at deploy URL
CriticalDetector: exposed-files
CSP via next.config.js or middleware
HighDetector: headers
HSTS via next.config.js headers function
HighDetector: headers
Cookies Secure + HttpOnly + SameSite
HighDetector: cookies
API route CORS not wildcard
HighDetector: cors
Server auth check on protected pages
HighDetector: tech-detect
Valid TLS (Vercel default; verify domain config)
HighDetector: ssl
Analytics scripts loaded with proper CSP nonce
LowDetector: tech-detect
Rate limiting on /api/* via Vercel edge or @upstash/ratelimit
MediumDetector: rate-limit
No X-Powered-By header leaking framework version
LowDetector: tech-detect
Paste this into v0
One prompt that runs the entire checklist as a code review pass.
Audit my v0 + Vercel app: move all secrets to Vercel env vars (not NEXT_PUBLIC_ unless truly public), prevent .env from being deployed, configure CSP/HSTS via next.config.js headers function or middleware, set Secure+HttpOnly+SameSite on session cookies, allowlist CORS origins on /api/* routes, add server-side auth checks on protected routes, confirm TLS, integrate rate limiting via @upstash/ratelimit, and disable poweredByHeader in next.config.js.FAQ
Frequently asked questions
- Does Vercel handle CSP automatically?
- No — you configure it via next.config.js headers or middleware. Vercel handles TLS, automatic HTTPS redirect, and CDN — but CSP/HSTS/security headers are your code responsibility.
- Why disable X-Powered-By?
- It tells attackers exactly which Next.js version you run, narrowing their CVE search. One-line config: poweredByHeader: false in next.config.js.
Per-issue depth
Fix guides for this checklist
Exposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreMissing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreHardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.