How do I scope env vars properly on Vercel?

In the Vercel dashboard, each env var has a checkbox per environment (Production, Preview, Development). Production secrets should NOT be checked for Preview, otherwise PR deploys can leak them.

Why use Vercel password protection on Preview?

Preview URLs are not indexed but are publicly accessible if shared. If your previews contain real customer data or unfinished features, password-protect them via Project Settings → Deployment Protection.

vercel

Vercel production-launch security checklist

Vercel handles TLS, CDN, and DDoS protection for free, but security headers, rate limiting, and CORS still need explicit code. This list covers the Vercel-specific gaps.

11 checks

Tick through each one

Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.

Server-only env vars NOT prefixed NEXT_PUBLIC_
Critical
Detector: js-secrets
Production env scope distinct from Preview/Development
Medium
Detector: tech-detect
No .env file deployed at site root
Critical
Detector: exposed-files
CSP / HSTS / XCTO via next.config.js headers function
High
Detector: headers
CSP includes per-request nonce (not unsafe-inline)
High
Detector: headers
poweredByHeader: false in next.config.js
Low
Detector: tech-detect
/api/* CORS allowlists explicit origins
High
Detector: cors
Cookies Secure + HttpOnly + SameSite
High
Detector: cookies
Rate limiting via @upstash/ratelimit on hot routes
Medium
Detector: rate-limit
Vercel password protection on Preview deployments (or no sensitive data)
Medium
Detector: tech-detect
Domain HTTPS-only, no mixed content
High
Detector: ssl

Paste this into Vercel

One prompt that runs the entire checklist as a code review pass.

Audit my Vercel deployment: confirm server-only env vars are not prefixed NEXT_PUBLIC_, verify Production env scope is distinct from Preview, ensure .env is not deployed at the site root, configure CSP/HSTS/X-Content-Type-Options via next.config.js headers function, set CSP per-request nonce via middleware (drop unsafe-inline), set poweredByHeader: false, allowlist /api/* CORS origins, set Secure+HttpOnly+SameSite on cookies, integrate @upstash/ratelimit on hot routes, enable Vercel password protection on Preview deployments if previews ever contain real data, and confirm HTTPS-only with no mixed content.

FAQ

Frequently asked questions

How do I scope env vars properly on Vercel?: In the Vercel dashboard, each env var has a checkbox per environment (Production, Preview, Development). Production secrets should NOT be checked for Preview, otherwise PR deploys can leak them.
Why use Vercel password protection on Preview?: Preview URLs are not indexed but are publicly accessible if shared. If your previews contain real customer data or unfinished features, password-protect them via Project Settings → Deployment Protection.

Per-issue depth

Run the scan to confirm each check

60 seconds. Free. No account required.

Vercel production-launch security checklist

Tick through each one

Paste this into Vercel

Frequently asked questions

Fix guides for this checklist

Exposed .env file

Missing CSP header

CORS allows all origins

Run the scan to confirm each check