Vercel

Vercel deployment security checklist for AI-built apps

6 min read · VibeSafe Blog

Vercel makes deployment invisible — push and it's live. That convenience hides a few sharp edges that AI-generated apps hit constantly. Check these before your next deploy.

1. The NEXT_PUBLIC_ trap

Any environment variable prefixed NEXT_PUBLIC_ is bundled into your frontend JavaScript — visible to every visitor. AI tools regularly put real secrets behind that prefix because it "makes the error go away." Rule: NEXT_PUBLIC_ is for genuinely public values only (your Supabase anon key qualifies; your service key never does). Audit your Vercel env vars for misplaced secrets and rotate any you find.

2. Server-side secrets belong in env vars

Keys used by API routes and server components go in Vercel's environment variables without the public prefix — set per environment (Production / Preview / Development), never hardcoded.

3. Security headers

Vercel doesn't add HSTS, CSP, or X-Frame-Options for you. Add them in vercel.json or next.config.js — five minutes of config that blocks whole attack classes like clickjacking.

4. Preview deployments leak too

Every branch gets a public preview URL. If your preview environment points at production data, anyone who guesses or finds the URL sees it. Use separate preview credentials, or protect previews with Vercel's deployment protection.

The pre-deploy checklist

VibeSafe's live URL scan checks your deployed Vercel app for missing headers, exposed paths, and CORS misconfiguration — no code access needed.

Scan your Vercel app free →

3 free scans every month · Your code is never stored

An honest note. VibeSafe helps catch the most common risks in AI-built apps quickly. It doesn't replace a professional security audit for high-risk applications.

Related: