Built with Vercel?

Security scanning for Vercel deployments

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Free scan. No account required.

Common issues

Top vulnerabilities in Vercel apps

These are the three most common security issues we find when scanning Vercel projects.

Missing Content Security Policy header on your deployed application

Environment variables accidentally exposed in client-side bundles

Cookie configuration missing SameSite and HttpOnly attributes

How it works

60-second security audit

01

Paste your URL

Enter your Vercel app URL. We handle the rest.

02

Get your score

10 security modules run in parallel against your live site.

03

Fix with AI prompts

Copy the fix prompts into your AI tool and ship secure.

10 security modules, one scan

Every scan checks security headers, SSL/TLS, exposed files, JavaScript secrets, Supabase & Firebase configs, CORS, cookies, email security, and tech detection.

See all security checks

Fix guides for Vercel

Common Vercel security fixes

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Cookie missing Secure flag

Cookies without the Secure flag can be sent over HTTP, leaking session tokens to anyone on the same network. Here is how to set it.

Read more

Cookie missing HttpOnly

HttpOnly stops JavaScript from reading a cookie, which is critical for session tokens. Here is when and how to set it.

Read more

Cookie missing SameSite

SameSite controls whether cookies are sent on cross-site requests — the main defense against CSRF. Here is how to set it.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

FAQ

Vercel security FAQ

Does Vercel add security headers automatically?
Vercel adds HSTS on custom domains and handles TLS, but it does not add CSP, X-Frame-Options, or Permissions-Policy — those are application-level. Set them in your framework or in `vercel.json`.
How do I keep env vars out of my Next.js bundle on Vercel?
Do not prefix secrets with `NEXT_PUBLIC_`. Only values meant to be public (Stripe publishable key, Supabase anon key) should have that prefix. Everything else is automatically kept server-side.

Scan your Vercel app now

Find security issues before your users do. It takes 60 seconds and your first scan is free.